Simple SSL - what do I need to do to make my ajax'd SSL password secure

I have a user login / registration system with a user management admin area.

Just some background:

Currently login is "ajaxy" so user clicks login and upload gif, hangs and in the background details are checked, sessions are created.

If all goes well, the client side javascript will refresh the page to the correct location.


Now if I wanted to use SSL, what should I do?

    • The "ajax" call - I need to secure it - will I do it by making an https call - is that enough?

      • 1.1 I am currently using jQuery $ post which has a relative path to login.php in order to check the user's login details. Should I make it absolute - for example

    • If the redirect after login also goes to https

(site owner must have SSL certificate, etc.)



source to share

2 answers

Everything must go through SSL.

  • If the HTTP and Ajax page goes to HTTPS you are bouncing from the same origin policy
  • If the conditions are above, but you are using CORS to bypass the policy, then a man-in-the-middle attack could change the page from which the request was made and add (for example) additional JS to steal credentials from the page (instead of the HTTP request).
  • If you redirect to HTTP after the user is logged in, then you are vulnerable to the Firesheep problem

So, display the SSL login page, and once the user is logged in, continue using SSL.



Everything sent over the SSL connection is encrypted, so yes; for your AJAX calls, using SSL will suffice. In practice, you'll also want the page on which the AJAX calls are made to use SSL to avoid origin policy issues.

Whether you are redirecting to a relative or absolute path, it doesn't matter how secure it is, it's just a matter of taste.

Assuming you don't want the user's cookie or other actions to be sniffed, then yes, after the user is logged in, all subsequent messages must use SSL as well. HTTPS doesn't cause a lot of overheating, so there is usually no reason not to use it when available to you.



All Articles