Security: Form Submission + javascript/jQuery

views:

answers:

+1 Q:

Security: Form Submission + javascript/jQuery

Question:

What is best practice for form submissions while keeping in mind security?

This may be a n00b question but I'm concerned that people might be able to alter some data as its being submitted. Take my example:

I have a form that has a hidden input that stores a user's unique Facebook ID. I take that Facebook ID and create a user account from it. If I use jQuery, won't some users be able to change the data being posted?

+2 A:

Users will always be able to post whatever data they like to your server. You can't do anything to change that with javascript. With a decent browser it's easy to find hidden form fields, unhide them, and put whatever you want in them. A more skilled user can craft an http post by hand and send whatever they like. Security must be done on the server, not on the client.

no 2010-07-18 06:48:31

So there's no way to prevent them from sending over an invalid FB Id?

st4ck0v3rfl0w 2010-07-18 06:53:02

Nope, other than checking facebook somehow to see if it exists on their site.

no 2010-07-18 06:57:16

+2 A:

It is just as safe as a regular form post. Both methods can be hijacked and data injected. The key is how your server side scripts validate the data alongside authentication, session, anti forgery tokens etc

redsquare 2010-07-18 06:49:37

See comment above: There's no way to prevent users from sending an invalid facebook ID other than what's currently in the session?

st4ck0v3rfl0w 2010-07-18 06:53:32

I would not put an important id inside a hidden field with no encryption. I would store that value encrypted in a session cookie

redsquare 2010-07-18 06:56:29

ansaurus

tags:

views:

answers:

Security: Form Submission + javascript/jQuery

related questions