Menu
I am working on a web/mobile app using AJAX. The application has 4 pages: the login one and 3 protected pages only displayed to logged in users.
I am planning to use the Single Page Application pattern, so all 4 pages will be loaded right away, each inside its own DIV id, and only the login one will be visible initially.
Once the user inputs his user/pass, I create a XMLHttpRequest and communicate with an internal PHP script, which in turn uses prepared statements to check if the user/pass exist in the database, and returns a true or false to the XMLHttpRequest.
If the result is true I'll then make the protected DIV visible and load the necessary data from the server, creating another XMLHttpRequest and going through another PHP script to interface with the database. This step is repeated when the user navigates between the other protected pages. I am also planning to implement cookies to keep users logged in, again using XMLHttpRequest/internal PHP script.
Below there's an image describing the process.
Questions:
901
That structure is fine as long as you ensure that each request for data is protected by the login system, to prevent serving data to unauthenticated users.
Also you need to make sure that when the user logs out, you flush all data out of the DOM. This could easily be done by forcing a page refresh window.location.reload() or by manually removing all of the DOM nodes that contain data and overwriting any variables. Consider a user that uses your app, then logs out, then another user comes to use the same device. If you don't flush data when logging out, the second user whilst unauthenticated could open up any DOM tool such as Firebug/Chrome Dev Tools and view the last user's sensitive data.
Don't forget to pay attention to general web app security in terms of SQLi, XSS (including DOM based XSS - not just reflective/stored XSS) and session security (session hijacking etc etc).
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
