I am creating a browser game and using a huge amount of AJAX instead of page refresh. I am using php and javascript After a lot of work I saw that Ajax is not absolutely safe. The dangers I am worried say that someone needs to see any information on my SQL server, they need the key to the correct information in the .php file associated with their AJAX call. I was using GET style Ajax calls which was a bad idea. Anyway after the lot of research I have the following safety measures in place. I changed the post (which is not really any safer but its a small attack) I have also been referred to as a place, which can be duplicated again but again another deterrent of it.
The last resort I have and the focus of this question is, when my website is full, I have an 80 character hack code generated and saved in session, and when I send Ajax call < / P>
challenge = & lt; The challenge is also sending the key as php $ _SESSION ["challenge"]; ? & Gt; Now when the AJAX php file reads it, it checks to see if the sent challenge matches the session's challenge or not. Now it will not do much by itself because you can easily open firebug and see how the challenge is being easily sent. So what I have to do, once the challenge is used, a new creation is done in the session.
So my question is, how safe is it, from where it stands, it seems that someone can only see that it was sent after the challenge key and then renewed it. Went and did not see it until it was re-viewed, so that it was not possible to send a fake request from another source. So does anyone see any loop holes in this safety method or have any additional thoughts or ideas.
Answer by 'Magener'.
I would like to mention it:
By passing around the identifier in the session, you are doing the session, what are you doing. Generally, a cookie with a unique identifier is similar to what you are creating, which is telling your application, essentially, who is that person, generally, how PHP sessions work.
What do you have to do, in this case, it is examined that for a given request - POST or GET - that special user (whose unique user id , Or similar, has been credited to the session) is allowed to add / change / delete that particular request. Therefore, for the "search" request, you can only see the results back to see that user X is allowed to see. In this way, do not worry about anything you send - if the user is not allowed to do something, then the system does not know that let them do so.
Therefore "You must certify all the requests"
Feeling free to add someone to this
Comments
Post a Comment