Reputation: 319
How should Ajax security be done for php/jquery app?
I'm working on a module in PHP which uses login authentication from another system and has the following characteristics:
- Login is done through form submission, which then bases on user login to allows access to different sets of sub-modules based on back-end processing.
- Page interactions are all done with jQuery. Communications with back-end are all done in Ajax.
- Submodules include reports and CRUD forms, each requiring access control so for example, 1 department can't view report A but can view report B while another could view both. Forms are strictly available to certain groups.
- All AJAX requests return JSON
I could figure out the ACL at the back-end but I'm not sure about securing the AJAX requests.
The best I could come up with is having API key per user, per submodule and checking for user sessions on every requests.
Just to clarify, I can't touch on the login process because it's restricted to another system. I could only get cookies and query the other system to verify whether they are logged in or not.
What would you do to harden the AJAX security in a scenario like this?
Upvotes: 0
Views: 342
Answers (2)
Reputation: 943100
I could figure out the ACL at the back-end
Yes, you can … and must. You can't trust the client to tell you if the client is allowed to access something.
but I'm not sure about securing the AJAX requests.
Ajax requests are just HTTP requests that are made by JavaScript. The only difference when it comes to securing them is that the JavaScript you write must be prepared for a "permission denied" response (so it can display a suitable message to the user).
The best I could come up with is having API key per user, per submodule and checking for user sessions on every requests.
Normally you would just use a session to track a user's log in status and they access level / roles. You say you have access to the cookies, use those.
Upvotes: 1
Reputation: 21522
Basically ensuring the security of an http request is always the same, ajax or not.
There are different kinds of checks:
- data consistency: check for possible injections when data is received by the server, but also checking the data when received by the client should be done to avoid indirect injections.
- data origin: check who is the sender, and use SSL if possible.
rgds.
Upvotes: 0
Related Questions
- Securing an api PHP/JQUERY?
- How to secure PHP/JQuery/Ajax calls?
- securing a jquery ajax to php connection
- How to secure my jQuery AJAX calls in PHP and Javascript?
- Implement Security to this application?
- Best Practice with jQuery and AJAX calls
- Guide to Securing JQuery AJAX Code?
- How to make sure a PHP script that handles an ajax request is not accessible to use and the user is authenticated?
- Ajax Security (i hope)
- Guide for securing an ajax php webapp