Is my login system secure?

I am recently making a CMS and I need a secure login system, so this is my code. How is it?

First: the HTMLcode for signup and login:

Second, the code for jQuery Ajax request for signup:

```
$(function(){
$("#submit-signup").click(function(){

var firstname = $("#firstname").val();
var lastname = $("#lastname").val();
var email = $("#email").val();
var password = $("#password").val();
var re_password = $("#re_password").val();

if(password === re_password){
if(validateEmail(email)){

if(firstname == "" || lastname == "" || email == "" || password == ""|| re_password == ""){
alert("");
}else{
$.ajax({
url : "resourcs/check_email.php",
type: "POST",
data : "firstname="+firstname+"&lastname="+lastname+"&email="+email+"&password="+password+"&re_password="+re_password ,
success : function(d)
{
if(d === "ok"){
$.ajax({
url : "resourcs/register.php",
type: "POST",
data : "firstname="+firstname+"&lastname="+lastname+"&email="+email+"&password="+password+"&re_password="+re_password ,
success : function(d2)
{
if(d2 === "ok"){
location.reload(true);
}else{
alert(d2);
}
}
});
}else{
switch(d){
case "error1":

Flow Security

• You should repeat the email validation in Server side too (js validation could be bypassed)

• You don't check if the user is already inserted during sign up. There is no unique key in your users table. So I can signup with your admin email and (according with your code) I'm in. If somewhere in your code you don't check the users.id but email only, then you have a problem.

• You should not login the client after the sign up, expecially if you don't force an email check (validation link). Generally this is a possible backdoor if you have some other bug somewhere (as first point, for example). Another point is to allow bots to entry in restricted area. That's not a great idea.

Structure security

• use unique key on fields that must be unique (email in this case)

Language security

• mysql_real_escape_string is deprecated and it will be removed. You must use PDO:: and Prepared statement

• md5 or sha-1 are not so great. Use scrypt if you can; bcrypt if you cannot.

• If I use the character & in my password, then I have the account exploitable. Because your javascript code is:

--

data : "email="+email+"&password="+password,

With a real data will be:

data : "email=my@email.it&password=my&!verystrong!!_#@[**password,

So my very strong password will be truncated at 2nd char. Both login and signup have the same issue. So my password will be valid and never I can suspect this issue. But a bruteforce attack will be more effective (my password will be simply "my")

StackExchange Code Review Q#79870, answer score: 4