tags:

views:

3800

answers:

3
+9  Q: 

Security advice for jquery ajax data post?

Hi, I'm using jquery ajax to post updates back to my server. I'm concerned about making sure I have put in place appropriate measures so that only my AJAX calls can post data.

My stack is PHP on Apache against a MySQL backend.

Advice greatly appreciated!

+4  A: 

Use sessions to ensure that any Ajax posts are done in an authenticated context. Think of your Ajax code as just another client to your server, it becomes easier to tackle authentication issues that way.

conmulligan  2008-09-01 21:15:59
+14  A: 

Any request that the AJAX calls in your pages can make can also be made by someone outside of the application. If done right, you will not be able to tell if they were made as part of an AJAX call from your webapp or by hand/other means.

There are two scenarios I can think of which you might be talking about when you say you want to make sure that only your AJAX calls can post data: either you don't want a malicious user to be able to post data that interferes with another user's data or you actually want to restrict the posts to being in the "flow" of a multi-request operation.

If you are concerned with the first case (someone posting malicious data to/as another user) the solution is the same whether you are using AJAX or not -- you just have to authenticate the user through whatever means is necessary -- usually via session cookie.

If you are concerned with the second case, then you are going to have to do something like issue a unique token at each step of the process, and store the expected token on the server side. Then when a request is made, check that there is a corresponding entry on the server side for the action that is being taken and that the expected tokens match and that that token has not been used yet. If there is no, you reject the request, if there is, then you mark that token as used and process the request.

If what you are concerned about is something other than one of these two scenarios then the answer will depend on more specifics than you have provided.

John  2008-09-01 21:16:52
The problem with session cookie authentication is that it is not sufficient to prevent CSRF attacks. It is a good idea to put in some additional layers of security - whether or not you are using ajax. http://en.wikipedia.org/wiki/Csrf
Jesse Hallett  2010-03-12 22:01:46
A: 

I guess I read somewhere !! Jquery managed this problem using something with css.

If anboddy wants to set a call to API it do not go directly from html-> javawscript->xmlhttp->server.

It actually follow the same path indirectly with different method..that is with css

Does anybody have any clue about this

I would like know more about it

Regards

Sushant Danekar

http://splendornet.com

Sushant Danekar  2010-10-21 07:21:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security