Edit in Place Update Script Security

Question

I'm using an Edit in Place jquery plugin which needs to post the data to a script that will do the actual database update.

The URL to this update script is easily viewable in the html source as well as with Firebug, so I need to add some sort of authentication check before the update is processed. This is of course so the user can't just pass in any old userid / field / value they want and mess with other people's records.

I was initially passing their username and password in as well, but this isn't ideal as it's in a GET request so it's all in the URL. The site itself is SSL at least, but still.. Not a best practice by any stretch.

What's the best way to authenticate this type of update?

FWIW, the update script is in PHP, and the Edit in Place plugin is: jeditable.

Thanks SO Hive Mind!

EDIT: To clarify: The actual data payload is POSTed to the script, but the edit in place plugin has no explicit method for authentication, so I was passing the authentication as part of the URL to the update script, which was then taking those variables via GET and using them to check.

EDIT2: Yes, I can access the session info from the update script, so I've decided to just pull the previously saved User ID and using that in the db update statement. That would appear to be the most secure method.

Answer 1

To pass the information you should use the session id in the actual GET string. This way the php script can connect to the session, validate the user, and see if the user has the rights to edit what they've posted. Then if they have the rights, proceed, or else return an error message.

I believe you can, in javascript, get the session id so it needn't be passed overtly.

Answer 2

I think you'd be best off switching the script to a POST method as most edit-in-place uses will be too big to use GET practically. You should never use the SessionId or the password as a URL parameter and I wouldn't use the username for anything but viewing a public profile. If your AJAX URL is a PHP file, I'm fairly certain it should be able to access the session without needing to pass it in either a GET or POST array. As an additional note, make sure that you validate and sanitize all information before updating the database.

Answer 3

Isn't the site still vulnerable to Cross-Site Request Forgery if you simply look up the user in the session?

You can POST all needed information if you include a salted hash field calculated from values of non-editable POST fields. If you include a timestamp, you can prevent script replay as well.

Example:

$(".edit_area")
  .editable("http://www.example.com/save.php", { 
    submitdata: { 
      userid: 'johnsmith',
      pageid: '123',  // or other value unique to the page
      timestamp: '1324354657',  // time when page loaded
      hash: '0bee89b07a248e27c83fc3d5951213c1' }
    // ..other settings, etc.
});

The hash could be e.g. an MD5 of 'johnsmith$123$1324354657$' + $secret_salt. Check that it matches before saving. Optionally reject if too little or too much time has passed.

The ditch-pycrypto branch of django-magicforms implements this as a re-usable Form base class for Django. It's not directly applicable to AJAX requests, but the documentation and unit tests should provide a good basis for other implementations.