Why is AJAX authentication through HTTP considered to be non secure?

Lets consider next scenario: assume I have a web app, and authentication of users is performed through a modal dialog window (lets say, that when a user clicks login button, ajax request is sent and depending on the callback I either close the window or display an error), and I use only HTTP protocol. Why is it considered to be not secure way to do things?

Also, please make sure that a modal dialog window is taken into account, because this is vital info. There may be some data displayed underneath the dialog window a开发者_开发百科nd can be accessible if modality is broken.

The question includes both:

1. How can you break an app security by utilizing ajax call?
2. Is Ajax HTTP less secure than a regular form HTTP?

Whoever told you - he is wrong. The ajax through post is not less secure than post with regular forms. Just because it is the same thing.

Update 1 according to the last edit:

1. You cannot
2. No

Argument: the AJAX request is the same http request as any other (such as request sent by html form). Absolutely the same. So by definition it cannot be less or more secure.

I don't know how to explain more and what to say else: ajax is a http request. the same request as your browser does when you open SO page or when you post the SO question form.

I can rephrase your question to something like "Why A is less secure than A". Answer to it: A is not less secure than A, because A is A :-S

Any sensitive data should be channeled through HTTPS. GET data is sent in the querystring. POST data is sent in the HTTP Request header. Ajax can do both. BOTH are not secure. You need a channel level encryption to really secure it.

HTTP isn't secure for private data because the data is transmitted in plaintext. This can be intercepted anywhere between the client and server (eg. wifi.) Ajax over HTTPS would be much better.

I think the issue is that you are using http. No matter how you look at it it wont be secure. If you use https the ajax request will be just as secure as a html form.

Somy answer would be to use https and you will be all set.

I'm no security expert, but I think it might be more secure sending it over HTTPS. Just googling learns me that it can be done securely though:

http://www.indicthreads.com/1524/secure-ajax-based-user-authentication/ http://msdn.microsoft.com/en-us/magazine/cc793961.aspx (focused on ASP.NET) etc.

Since browsers use the same network stack for HTTP and HTTPS, be it AJAX or not, there is no difference. All the headers, cookies, authentication, etc work exactly the same.