Creating a secure login system using XMLHttpRequest
This is an example of a login system that does not require page refreshes, but is still very secure.
- Valid usernames and passwords for this demo are
- Try these, and also incorrect passwords to see the results.
- User does not need to refresh the page to login.
- User is notified instantly on incorrect username/password combination.
- Overall user experience is more seamless
- Password is not sent in plain text ever (more secure than traditional system).
- Uses one-time use random seed to hash the password before sending (making interceptions useless).
- System is more prone to brute force attacks.
- Can be minimized by adding a delay after a certain number of attempts per username or per client.
- User may expect a login button.
- One could still be added without reloading the page.
- Older versions of Safari cannot disable a password field.
- This code uses the MD5 encryption algorithm.