AJAX security questions
I was hoping to clear up some questions I have been having with AJAX security. So here is a scenario I am trying to wrap my head around.
Lets say I am using AJAX to request some semi-sensitive material to the page. For instance, I am going to pass the user's ID to a php file, and return some information about themselves. Now, what is keeping someone from emulating this Javascript request, and passing different ID's to the PHP script?
- Is there anything the server does to keep this from happening?
- Does the DOM recognize Javascript which was 开发者_运维知识库'originally' in place, or written by the server, as opposed to client side Javascript?
- What are some more security issues when using AJAX to request sensitive material?
- I am using suPHP, does this have any affect in situations like this?
An Ajax call is exactly identical to any other HTTP request that you make except that it's asynchronous (it doesn't reload the web browser). So you should be using whatever authentication you currently employ on your web site.
This could either be Windows integrated security, cookies, etc. Basically your PHP script just has to verify that the request is coming from a valid user of your application.
AJAX is inherently un-securable. You cannot both make a resource available for remote usage AND keep it completely secure. There is no 100% reliable method for identifying if a request came in from your client-side javascript or if it's someone faking the request.
At most, you can make it harder/more tedious to do such faking.
精彩评论