Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security advice for jquery ajax data post?

I'm using jquery ajax to post updates back to my server. I'm concerned about making sure I have put in place appropriate measures so that only my AJAX calls can post data.

My stack is PHP on Apache against a MySQL backend.

Advice greatly appreciated!

like image 212
brabster Avatar asked Sep 01 '08 20:09

brabster


People also ask

Can AJAX use post?

post() makes Ajax requests using the HTTP POST method. The basic syntax of these methods can be given with: $. get(URL, data, success); —Or— $.

Is usage of AJAX secure?

Ajax is not inherently secure or insecure. It does however open up 'opportunities' for insecure code.

Can we use HTTP GET or POST for AJAX calls?

jQuery - AJAX get() and post() Methods. The jQuery get() and post() methods are used to request data from the server with an HTTP GET or POST request.

What is difference between AJAX and post?

The most noticeable difference between GET and POST calls in Ajax is that GET calls still have the same limit on the amount of data that can be passed as when requesting a new page load.


2 Answers

Any request that the AJAX calls in your pages can make can also be made by someone outside of the application. If done right, you will not be able to tell if they were made as part of an AJAX call from your webapp or by hand/other means.

There are two scenarios I can think of which you might be talking about when you say you want to make sure that only your AJAX calls can post data: either you don't want a malicious user to be able to post data that interferes with another user's data or you actually want to restrict the posts to being in the "flow" of a multi-request operation.

If you are concerned with the first case (someone posting malicious data to/as another user) the solution is the same whether you are using AJAX or not -- you just have to authenticate the user through whatever means is necessary -- usually via session cookie.

If you are concerned with the second case, then you are going to have to do something like issue a unique token at each step of the process, and store the expected token on the server side. Then when a request is made, check that there is a corresponding entry on the server side for the action that is being taken and that the expected tokens match and that that token has not been used yet. If there is no, you reject the request, if there is, then you mark that token as used and process the request.

If what you are concerned about is something other than one of these two scenarios then the answer will depend on more specifics than you have provided.

like image 131
John Avatar answered Oct 01 '22 01:10

John


Use sessions to ensure that any Ajax posts are done in an authenticated context. Think of your Ajax code as just another client to your server, it becomes easier to tackle authentication issues that way.

like image 42
conmulligan Avatar answered Oct 01 '22 00:10

conmulligan