Geek Answers Handbook

Ajax Security (hopefully)

I am creating a browser game and im using a lot of ajax instead of refreshing the pages. I am using php and javascript. After a lot of work, I noticed that ajax is not completely safe. The threats that worry say that someone wants to find some information on my SQL server, she just needs to provide the correct information in my .php file associated with my ajax calls. I used the GET style of ajax calls, which was a bad idea. In any case, after many studies, I have the following safety measures. I switched to POST (which is actually not more secure, but its slight deterrent). I have a link to a place that can again be tampered with, but again its another deterrent.

The last measure is in my place and is the focus of this issue when my site is loaded. I have an 80 char hex key generated and saved in a session, and when I send an ajax call, I also send a call key in the form

challenge= <?php $_SESSION["challenge"]; ?>

now that the ajax php file reads this, it checks to see if the call being sent matches the session. Now this in itself will not affect much, because you can just open firebug and see that the call is sent easily. So what I do is once this problem is used, it generates a new one in the session.

So my question is how safe is it from where it is standing, it can only see what kind of call it is, after it has been sent, and then it is updated, and they cannot see it again before it sending, making it impossible to send a fake request from another source. So does anyone see a hole in this security method or have any additional thoughts or ideas.

+8
javascript jquery html ajax php
source share
3 answers

See the answer "meagar".

I would like to mention:

Walking around the identifier in a session, you do what the session already does. Usually there is a cookie with a unique identifier, similar to the one you create, which tells your application, in essence, who this person is. This is how PHP sessions work in general.

In this case, you will need to check that for this request - POST or GET - that particular user (whose unique user ID or similar file is stored in the session) has permission to add / modify / delete / regardless of this particular request.

So, for the query "search" you will get only those results that user X has to view. Thus, you do not worry about what they send - if the user does not have permission to do something, the system knows that it does not allow them to do it.

Therefore, "you must authenticate all requests."

Someone is not shy about it.

+1
source share

Your definition of "safe" is vague. You seem less interested in preventing data interception and are more interested in preventing people from sending user requests to your server. This is not security, this is just a good application design - your program should not accept requests that lead to a violation of the internal state. Absolutely nothing can be done to prevent people from sending any data that they want. The solution is to check the data that they send on the server side, and not try to prevent them from sending the client part of the data, which will always fail.

I switched to POST

You do not have to worry; which has nothing to do with security. Use any HTTP verb suitable for the request. Are you requesting information? Use a receipt request. Are you updating / inserting / deleting information? Use message.

they say that someone wants to find some information on my SQL server, he just needs to enter the correct information into my .php file associated with

You must authenticate all requests to ensure that they have access to the data they request. SSL will help you securely authenticate.

when my site is loaded, I have an 80 char hex key generated and stored in the session, and when I send an ajax call, I also send a call key

This will not help. The whole premise of your question seems to be that the user has Firebug installed or a similar tool for debugging HTTP. If they do, your session key will be useless.

+10
source share
 function mysqlRequest(type,server,name,value,sync){ $.ajax({ type: 'POST', url: 'sql.php', data: "server=s"+server+"&type="+type+"&name="+name+"&value="+value+"&challenge=<?php echo $_SESSION['challenge']; ?>", cache: false, dataType: 'json', async: sync, success: function(data){ }, complete: function(){}
0
source share

More articles:


All Articles