views:

54

answers:

2

I would like to use JSON, however, the security issues related to using JSON are holding me back.

There are two main issues CSRF (Cross Site Request Forgery) and the JSON/Array hack.

I have read that Double Submit the Cookie expanding from Secret Hidden Fields are possible solutions to the CSRF problem.

I wonder if there are any codeigniter add-ons to simplify the process of securing a project this way?

Any advice would be appreciated.

+1  A: 

To help secure your application against CSRF there is a library http://blog.kylehasegawa.com/codeigniter-csrf-xsrf-library that can help. However, once CI 2 is released you need not worry - it will include CSRF/XSRF protection.

What do you mean by "use JSON"?

JSON in itself is not dangerous, it is just a way to serialize javascript objects. However, when deserializing, I advice you not to use JavaScript's eval() function (That allows for executing arbitrary JS code if used carelessly), but use a dedicated JSON deserializer such as http://www.json.org/js.html. Newer browsers even come with built-in JSON deserializers.

For browser security issues in general, i recommend reading http://code.google.com/p/browsersec/.

bjornl
>> What do you mean by "use JSON"? i mean use JSON over XML for returning data from a site
andicrook
http://blog.kylehasegawa.com/codeigniter-csrf-xsrf-library << thats funny i am on his blog at the moment it looks like i will be using this.
andicrook
Yes I hear CI 2 will have it built in currently its flaky so cant be used. For example opening multiple tabs on a client causes issues
andicrook
+1  A: 

It need no addons, just generate an unique string in the hidden form field and also save it in the session, then compare $_POST submitted form value with the session value. Break code if they don't match, otherwise continue script... That's a simple process.

Otar
I wondered if someone have extended the form and validation to automate this it seems http://blog.kylehasegawa.com/codeigniter-csrf-xsrf-library which is usable until CL 2 is final. Thanks
andicrook
I think no, but what stands in front of extending yourself? :)
Otar
Why reinvent the wheel :) otherwise why use codeigniter and jQuery?
andicrook