简体繁体 English

网站如何在不重新加载页面的情况下检查登录凭据？

[英]How do websites check the login credentials without reloading the page?

原文 2013-02-27 00:53:05 5 3 php/ javascript/ ajax/ authentication/ optimization

Some websites, such as Yahoo and Google , use Ajax to check if the username/password is wrong. 一些网站，如雅虎和谷歌，使用Ajax来检查用户名/密码是否错误。 Obviously there must be server side authentication because anyone can change the local JavaScript and trick it into thinking username/password is correct. 显然必须有服务器端身份验证，因为任何人都可以更改本地JavaScript并欺骗它认为用户名/密码是正确的。 I'm wondering how this is done efficiently since wouldn't the server be checking the same username/password twice? 我想知道如何有效地完成这项工作，因为服务器不会两次检查相同的用户名/密码？ Consider the following scenario where a user logs into a web site: 请考虑以下用户登录网站的情况：

a user comes to the log in page 用户进入登录页面
user enters username/password and clicks submit 用户输入用户名/密码并单击提交
through Ajax the server communicates with the client if the username/password entered are correct 如果输入的用户名/密码正确，则通过Ajax服务器与客户端通信
Server replies saying whether the username/password is correct - in this example it is 服务器回复说明用户名/密码是否正确 - 在本例中它是
The <form> is submitted and an intermittent page takes the inputted values through POST and processes them again on the server side to verify if the username/password is correct and if it is sets a variable in the session <form>被提交，间歇页面通过POST获取输入的值并在服务器端再次处理它们以验证用户名/密码是否正确以及是否在会话中设置变量

In step 5 the server checks for the second time if the same username/password is correct as in step 3. Is there a way to cache the result from step 3 or make the process more efficient? 在步骤5中，服务器第二次检查相同的用户名/密码是否正确，如步骤3中所示。有没有办法缓存步骤3的结果或使流程更有效？ Also the server has already been sent the username/password in step 3. but I'm not sure if that could accelerate the process. 此外，服务器已在步骤3中发送了用户名/密码。但我不确定这是否会加速该过程。

I'm using a MySQL database to store user names and passwords. 我正在使用MySQL数据库来存储用户名和密码。

3 个解决方案

At step 3 your onsubmit handler will send your AJAX request to the server to validate credentials and prevent the normal form submission (by calling .preventDefault() in the handler or returning false from the handler), so step 5 will never happen. 在步骤3，您的onsubmit处理程序将发送您的AJAX请求到服务器以验证凭据并阻止正常的表单提交（通过在处理程序中调用.preventDefault()或从处理程序返回false），因此步骤5将永远不会发生。 If javascript is disabled then you won't have an onsubmit handler and the normal form submission will take place instead. 如果禁用了javascript，那么您将没有onsubmit处理程序，而是会发生正常的表单提交。

In your step 4, if you receive a "correct" response then your AJAX handler can redirect to a new page; 在您的步骤4中，如果您收到“正确”的响应，那么您的AJAX处理程序可以重定向到新页面; if it's an "incorrect" response you'd stay on the login page, clear the form, and put up your error message. 如果是“不正确”的响应，您将保留在登录页面上，清除表单，并提出错误消息。

At point 3, the JS should be submitting your form to server side processing and waiting for a response. 在第3点，JS应该将表单提交给服务器端处理并等待响应。 If JS is disabled then the form would just submit normally. 如果JS被禁用，则表单将正常提交。

As my comment says, not sure i completely agree with your process there, this is how i would picture it 正如我的评论所说，不确定我完全同意你的过程，这就是我想象的方式

a user comes to the log in page 用户进入登录页面
user enters username/password and clicks submit 用户输入用户名/密码并单击提交
Jquery triggers the onclick action, grabbing the user input, sends an ajax request to php, php sanitizes and queries to see if the credentials are found. Jquery触发onclick操作，抓取用户输入，向php发送ajax请求，php清理并查询是否找到凭据。
If they are php sets session and cookie and returns the ajax result. 如果他们是php设置session和cookie并返回ajax结果。
If the credentials are not correct, the php handles that issue as well. 如果凭据不正确，php也会处理该问题。

OR if you didnt want to use ajax 或者， 如果你不想使用ajax

a user comes to the log in page 用户进入登录页面
user enters username/password and clicks submit 用户输入用户名/密码并单击提交
the form routes to a php page the querys the database for user credentials, if they are correct, set session and cookie and redirect to correctLogin.php 表单路由到php页面查询数据库的用户凭据，如果正确，设置会话和cookie并重定向到correctLogin.php
if not redirect to incorrectLogin.php 如果没有重定向到incorrectLogin.php