Securing jquery ajax calls

Question

Recently i started digging into jquery's ajax function. I've made a lot of improvements, but im insecure in one point. How to secure my ajax calls..

For example this code for deleting a link:

// Delete link
$('.delete_update').live("click",function() {
    var ID = $(this).attr("id");
    var dataString = 'linkid='+ ID;

    if(confirm('<?php echo _("Are you sure you want to delete this link?");?>')) {

        $.ajax({
            type: "POST",
            url: "ajaxsave.php",
            data: dataString,
            cache: false,
            success: function(html){
                $(".bar"+ID).fadeOut('slow', function() {$(this).remove();});
            }
        });

    }
    return false;
});

As the example shows ajaxsave.php takes care of deleting the link with the matchin POST linkid. To my knowledge it is possible to submit a post form to an external url. Meaning that everybody would be able to look at my sourcecode and make their own post forms choosing their own linkid. That way they can delete all the links they want.

How do i secure my code? - Http referrer in ajaxsave.php ? Curl scripts would could ruin that. - Using session or cookies on the page calling the ajax function? Saving the session in a database and checking for it in ajaxsave.php ?

Can you help me? How do you do this in an elegant way. Or what is "normal" on all these modern ajax sites..

Answer 1

Well, I'll tell you one way. You can authenticate the incoming requests

with session check inside service function.

    if ((UserID!=0)||(UserID!= null))
    {
        //delete action code
    }

Answer 2

This might be too late to be useful, but the simple answer is this:

In ajaxsave.php, you need to check that the request comes from an authenticated (logged in) and authorized (has permission to delete this link) user. If you aren't doing those things then your site is definitely at risk.

Optionally you could just decide that all authenticated users are trustworthy and able to delete whatever they want. You still need to check authentication in ajaxsave.php, though.

Answer 3

You need to handle this on the server, no matter what you do on the client (i.e. the browser). Basic web application design deals with authentication vs authorization. The former is 'Are you who you say you are', handled by logging in, and the latter is 'do you have permission to do what you are trying to do'. You must handle authorization on the server--the first thing you should do is check to make sure the user has the proper authorization to do what the are trying to do.

when you say 'To my knowledge it is possible to submit a post form to an external url. Meaning that everybody would be able to look at my sourcecode and make their own post forms choosing their own linkid. That way they can delete all the links they want.' are you worried that someone can look at your javascript, see a url, then set up a form on their own website that points to your url? This is not possible because of the same origin policy, which all browsers implement. The same origin policy means that if you are at www.example.com, you cannot make an ajax request to www.example2.com (among other things). So someone could not set up www.example2.com and then try to post on www.example.com (your site) with ajax. You could do it with any numer of other tools though.

For exmaple, nothing stops a user from typing in a url into there browser and trying to manipulate you system. Say for example you can delete a user at

www.example.com/user/delete/20

which means delete the user with id 20. As soon as I see that, I could just type into the browser

www.example.com/user/delete/21

even though you have not provided me a link to that URL. So like I originally said, you need to ensure that I have the necessary privileges to delete user 21.