Single Page Login - secure?

Question

I use MVC5 for a site where users have to login with custom credentials. I've changed the login procedure from the inital auto-generated code to a somewhat single page approach.

1. Users enter their credentials
2. these are sent via ajax to the controller
3. if the credentials are valid, a loading animation shows and the main page is being loaded via ajax
4. the controller that returns the main page is annotated with the [Authorize] attribute.

I wonder: is there something basic that speaks against such an approach?. The site I run does not have any top secret contents, but it should not have a backdoor just because I missed something basic here.

From what I could see, MVC5's auto-generated login procedure sents the credentials in plain text as well, just like the ajax post I use. The auto-generated login includes a RequestVerificationToken which I obmitted.

Thanks for any ideas!

Answer 1

Using AJAX to authenticate a user is a common approach. A couple things I would recommend:

• Whenever you are sending credentials like a username/password combination it should always be done via SSL. Even after the user is authenticated all requests should be send over SSL to prevent a hacker from stealing the security token.
• Make sure that there are is no UI code in your AJAX calls. AJAX is used for sending and retrieving data only. Your UI should be on the client using a framework such as Knockout, Backbone, or Angular. Even if you are not doing a full blown SPA (Single Page Application) and do not require one of those frameworks, select a client side templating framework like Mustache or Handlebars.