1

I’ve got an ajax based script that is designed purely to run a php script to authenticate a user. As there is with user authentication, there could be one of two outcomes: either they get authenticated or they don’t.
To signify success or failure back to the page that called it is extremely easy, you just echo ‘success’; or ‘echo ‘failure’` accordingly and have the JS/jQuery script handle it by the response string. (Or at least I think that’s good practise..)

But apart from essentially returning true or false, if it returned false I would also like to give a message back as to why it failed. Did the user exist? Was the password incorrect? Or did the database access go wrong and need to spit out a technical error code. Since we are responding with true or false already, we can’t send back a message alongside with the false statement otherwise it technically isn’t false as there is more data.

Now I have had these ideas, but I feel like there is a better way to do it:

  • Return an array [true/false, “String to display”] though this seems clunky within the PHP file and also parsing it on the page
  • Return success when we want to return true, and label anything else as a failure and assume it’s a message for failure

But in all honesty I feel like this whole text response method is bad especially for something like user authentication as it could possibly be spoofed easily(?) so what would the recommended way to achieve something like this?

Thanks in advance!

Improve this question
5
  • 3
    You can easily handle it with JSON Commented Feb 19, 2016 at 3:02
  • 1
    anything can be spoofed at client side. that is why session exist in PHP which is server side. what you send and how you parse it at client side depends purely on your skill set and taste, but I would also suggest JSON, as it is much easier to handle/maintain. Note: I would never tell the user specifically if the user don't exist or password is wrong (giving more options to hack), I would just say just wrong credentials Commented Feb 19, 2016 at 3:10
  • If you want to learn more about best practices, check out existing PHP frameworks to see how they do it. For example, Laravel just added a feature to throttle authentication requests: By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts. The throttling is unique to the user's username / e-mail address and their IP address. laravel.com/docs/5.2/authentication#authentication-throttling Commented Feb 19, 2016 at 3:15
  • A great place to start: stackoverflow.com/questions/549/… Commented Feb 19, 2016 at 3:19
  • @bansi In terms of session, that is all handled on PHP with session ID, cookies and a whole bunch of other verification so even if the user spoofed it client side to get past the login window, it would spit them straight back due to a dodgy session. Also I never say either no user or wrong password, but there are scenarios where I would need to display another message apart from bad credentials such as 'account not activated' or 'account has been banned for x amount of time'. These are cases of which I believe would be important to not only return a fail but a message alongside with it. Commented Feb 19, 2016 at 5:22

1 Answer 1

Reset to default
6

This is purely opinion based but I think your missing two important concepts when handling communication between two systems such as PHP (server) and Javascript (client).

One, evaluating response codes. If the HTTP response code is 200, it indicates OK, 201 indicates a resource was created (possibly a session), 401 indicates the user is unauthorized. Given this, just by the HTTP response, you should be able to tell if the action succeeded or not.

Two, using JSON or a markup language. You can pass a JSON string to include both the status and the message and parse the JSON string in Javascript.

Example in PHP being:

http_response_code(401);
$response = [ 
'success' => false,
'message' => 'Password incorrect'
];
echo json_encode($response);
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Excellently worded answer.
@Darren Should I make the jQuery pick up on the response code?
@SteppingHat, jQuery will automatically interpret a 2XX code as a success and a 4XX as a failure (.done() and .fail() respectively). You can also change the action based on the specific status code: api.jquery.com/jquery.ajax. This goes beyond just JQuery though, HTTP response codes are useful for any integration.
So would I even need to return response as an array? If jQuery can interpret a success or a failure via the response code, why can't I just echo a message on its own?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.