is it safe to use javascript redirects?

Question

I am hoping to create an ajax sign in form, which redirects the user on sign in - this is going to check the username and password in the database, and send a true value to the client.

As such I want to do window.location="http://www.someplace.com/mypage.html";

Is this safe? Is there any way of users disabling javascripts redirects?

Answer 1

The user can always disable anything that is javascript based.

That said, using javascript for redirection is not in itself unsafe, and i don't see an abuse scenario, only a breakage scenario.

All in all it depends how you define safe :)

Answer 2

It's not unsafe, but there are 2 alternatives about redirecting without using JS (or if someone has JS disabled):

1) by adding a meta tag in your head

<meta http-equiv="refresh" content="0;url=http://www.someplace.com/mypage.htm/" />

2) better, by a server side redirect ie (php)

<?php
   header( 'Location: http://www.someplace.com/mypage.htm' ) ;
?>

Edit: As I replied to @Spudley comment, these are 2 other methods to redirect to a page without JS enabled.. in your case @Ashley Ward I think it's the correct way to redirect a page for an ajax-form :)

Ps a form should work both in ajax and non-ajax way ;) ..remember what other users correctly said: JS can be disabled

Answer 3

In addition to Martin good answer, don't forget to protect yourself against SQL injection attacks: user can very easily access your target page by himself and send "fake" AJAX requests with malicious stuff like 1' OR 1=1 as the username or password.

Unlike what you might think, AJAX requests are not totally hidden from the user and can be easily detected and manipulated using simple tools available for anyone.

Answer 4

Remember that Javascript is all run in the client browser. The user can see the code, and with the right tools can edit it in-situ.

Therefore nothing is "safe" when you're running in Javascript in the browser. You should always assume that a malicious user can and will modify your ajax calls, tweak your variables and change the flow of your javascript code.

However, as long as you've catered for that by making your server-side code secure (ie preventing SQL injection attacks, etc), then you don't need to worry too much about that. A hacker will be trying to break your site, so there's no need for you to worry about whether things will work for him.

For the purposes of a normal user simply running the code normally, then the answer is Yes: your JS redirect should be perfectly safe. The user can switch off Javascript, but of course the Ajax event wouldn't have worked either if the JS was disabled.

If you've written your ajax code to have a fall-back for non-JS users, then you may want to provide a fall-back for the redirect as well, but in all probability your ajax fall-back would load straight to the redirected page anyway.