Is it safe to redirect page using jQuery and AJAX in authentication

Question

I am creating a user authentication system using PHP, JQuery, and AJAX. On submit, a request will be sent to 'authenticate.php' with data: username & password using AJAX. The PHP code checks a database for the record and returns 0 on success , 1 on failure . Then if the returned value is 0, the page will be redirected to the 'user private page' using 'window.location="user.php"' .

Now, the question is, is it safe and proper way to authenticate like this? Are there any security problems to use jQuery/JavaScript to redirect page?

Answer 1

Since you are working with PHP already i don't recommend using JS to redirect the user. You can use PHP for that:

if($user == $db['user'] && $password == $db['password']){
    $_SESSION['logged_in'] = true;
    header('location:user.php');
}else{
    echo 'username of password is wrong';
}

Then on your user.php file:

if(isset($_SESSION['logged_in'] && $_SESSION['logged_in'] == true){
    echo 'welcome to the user page';
}else{
    header('location:index.php');//Go back to login page
}

If people go directly to the user.php page, they will be redirected to the index.php page.

Answer 2

Now, the question is, is it safe and proper way to authenticate like this?

Only if inside your user.php you check again if the user has successfully authenticated already. (This is usually where sessions come into play.)

Otherwise, of course everyone who knows the URL of user.php can access it directly.

Are there any security problems to use jquery/js to redirect page?

The only difference between window.location="user.php" (which is wrong, btw. – correct would be window.location.href="user.php" ) and, say, a normal link to that page, <a href="user.php">foo</a> , is that the first one happens automatically, and the second one would require the user to click the link first.

So, it is as “secure” as if you had used a simple link. What that actually means here in this case, depends what I said above.

Answer 3

Depends on how secure and compliant you want you application to be. According to RFCs its not recommended to login like that, but keep the form on server side and integrate the login form on frontend (via iframe), then just redirect with redirect url and token, scopes etc to a local html which then eg. sends a window postmessage to your frontend application.

https://tools.ietf.org/html/rfc6749#page-19

If you just want to be quick and dirty you can go for window.location.href or document.location.href .

Or a bit more secure, send the user to the server and let this be redirected back, but can end up in redirection hell, as its not easy to get back to the state where the user was (including settings and stuff).

Anyways, you will always have to check for the current users's session state whatever you do afterwards with serverside (Sessions).