Secure ajax calls with JQuery php

Status
Not open for further replies.

swordsinfo

New Member
Hi guys quick question - im looking to load data from database via ajax into a page. However the page that is being loaded via ajax needs to be protected. Im currently using sessions in the admin areas however the session doesnt exist on the ajax page so that is out. I know I can pass the parameter via ajax but that exposes the site and could easily be hacked. Has anyone got any recommendations?? I was thinking of using sha1() to encode the value of the session then could send this and the session value and check the on the other end by sha1 the session value and comparing it against the one being sent?? I dont know if this is the right way for making these requests and as always your input or suggestion is always appreciated.

Regards
B
 

ralph

New Member
I was thinking of using sha1() to encode the value of the session then could send this and the session value and check the on the other end by sha1 the session value and comparing it against the one being sent??

If I understand you correctly, this will not work. You cannot send both the sha1-hash of the session and the session itself. You are trying to transfer authorization across the network from a place where a secret is known ( admin area) to a place where the secret is not known (page). It would be secure to send only the hash value to the page but then how would the page receive the secret that was hashed for the checking?
 

swordsinfo

New Member
If I understand you correctly, this will not work. You cannot send both the sha1-hash of the session and the session itself. You are trying to transfer authorization across the network from a place where a secret is known ( admin area) to a place where the secret is not known (page). It would be secure to send only the hash value to the page but then how would the page receive the secret that was hashed for the checking?

Cheers for the response. I do have the option of creating a constant on both sides for the hash . However my question is really how do you achieve this - using ajax on secure page - i cant figure it out ?? Obviously Im concerned with man in middle attacks so want to lock it up as much as possible.

Thanks
B
 

ralph

New Member
Obviously Im concerned with man in middle attacks so want to lock it up as much as possible.

If Man-in-the-middle attacks are your concern, then why not use HTTPS?

If you want to use plain HTTP, then a single constant on both sides won't do the trick as and attacker will be able to replay the value, regardless whether you send the session or the hash of the session. A hash serves the purpose that you can prove that you know a (secret) information without exposing this information with your communication over an insecure channel.
 

swordsinfo

New Member
If Man-in-the-middle attacks are your concern, then why not use HTTPS?

If you want to use plain HTTP, then a single constant on both sides won't do the trick as and attacker will be able to replay the value, regardless whether you send the session or the hash of the session. A hash serves the purpose that you can prove that you know a (secret) information without exposing this information with your communication over an insecure channel.

So again i ask the question how?? no point just telling me what im doing wrong im looking for a solution??
With the hashed solution i can send back the hash and check it against the original session value. if they match then then i can validate the id and update record based against unique identifier (which is whats required in this case). But overall going forward how do you use ajax in secure environment?
 
Status
Not open for further replies.
Top