安全为08/15网站：是
安全网上银行：没有

您使用的方法是等同于一个未加密的日常登录＆LT;形式取代。尽管你应该不依靠user_ID的饼干。而保存验证USER_ID仅在会话存储。

你也可以尝试只返回会话cookie的JSON结果的AJAX调用。它通常坚持所有进一步的HTTP请求，所以你不需要（3）通过Javascript另外设置cookie。

I'm making an Ajax login system and i wonder if this is secure

1. Post the username and the password with ajax
2. Check the login server side, if valid, return the new session id and the user id in a JSON string
3. Get the JSON with javascript then create the session's cookies "session_id" and "user_id"
4. Call the page where the logged user is redirected with AJAX

Thanks

Secure for 08/15 website: yes
Secure for online banking: no

The method you use is equivalent to an unencrypted everyday login <form>. Albeit you should really not rely on a "user_id" cookie. Rather save the verified user_id in the session store only.

Also you might try to simply return the session cookie on the JSON result for the AJAX call. It usually sticks to all further HTTP requests, so you don't need (3) to set the cookie via Javascript additionally.