I have a PHP application which has some jQuery and Ajax features in it. I would like to know, how is it possible to regenerate the Session Token - which I'm sending to validate the Ajax request - upon each Ajax request (without loading the page)?
I have more elements on the page which are running multiple Ajax queries, however at this moment they all get the same token. So if someone has the tokey, they can submit a forged request from another form I guess.
Generating token on client side makes no sense. You can't trust anything coming from client side, as you don't know if it's your client software which sends the request, or a malicious one.
You must create as many tokens as you have ajax possible requests, and return a new token with each response.
You should generate a CSRF token on server side for each user or each session. You can store it in your database, or in your session. You should send that token to your client, and wait it back with the ajax requests. It will work until your site is not XSS vulnerable...
Btw the first step to secure your application is using the HTTPS protocol...
Related
My website returns a JSON string contains database result when you call the URL through ajax. It's actually public. I mean everybody can send an ajax request to my website and simply get the result neatly (currently my website acts like a free API).
Now all I'm trying to do is authenticating all requests and just response the known ones. So I think I need to pass a token with along each request for identification.
My question: How should I make that token (that no one else can)? And how should I identify that token on server side?
If your "website" and the "app" that calls your website reside on the same domain. Then this can be done server side.
First CORS will stop any java-script app from replicating your client code on another server and calling, or the lack of.
Second. On your server just check that all incoming calls are from the same HOST or the host you want to permit. This would reject any calls that did not originate from the same domain - which you control.
I don't know what language you are using so i can't post code.
I suggest you use jwt to authorize. U can achieve this by requiring that a user log in first and respond with a token on successful request. This token will then be used for subsequent requests
The situation is as follows:
I am logged into a web application and there is an HTTPOnly-Cookie stored with a JSESSIONID. The backend I am sending requests to is running on the same website/url as the frontend application. Now while I am logged in as User A (identified by the cookie with the JSESSIONID), I need to do a single request to the same backend but without this cookie! Whenever I send a request to the backend, this cookie is automatically sent too though.
So how can I tell an AJAX request to NOT automatically send this certain HTTPOnly cookie - or even any cookie at all. I know that this can be achieved for Cross-Origin calls (see "withCredentials" flag). But this does not help since it is no Cross-Origin call...
Can anyone help me with this one?
Thanks and best regards
I have built a web app. The app needs to make several POST requests. Since full page reload does not happen (single page app), every time form gets generated dynamically from a template, I made the app to make a ajax GET request to the server to fetch csrf token, which later will be submitted with other form values.
To achieve, this I made a endpoint in server '/getCsrf' which returns csrf token to the user. Every time the endpoint is visited, different unique csrf token gets generated.
Is approach described above safe? I was wondering if attacker can force victim to visit that '/getCsrf' url in different server, steal 'csrf' token data, load the fabricated form page, and send an unexpected POST request to the server.
I am developing a Chrome extension which will be sending data via an AJAX request using jQuery. I need to ensure though that only the logged in user has send the request. This might not be the right approach trying to secure the AJAX request itself so any advice is appriciated.
you cannot secure Ajax requests on client side as every one can request to your APIs if it's included in your JS.
but there are some workarounds which you can choose to have more secure interact with your server:
you can send encrypted data
you can also obfuscate your code to make it much harder to read
use SSL to protect data from snoopers
EDIT:
as you mentioned if you want to make sure a user is logged in to do something you can use encrypted cookie and a token as mentioned in another answer. but if you want to prevent requests and not rejecting them maybe above solutions will help you.
To make this work, when the user logs in, you need to set a cookie that contains some sort of authentication token or session ID (usually some unpredictable string of characters) that is also stored on your server.
Your Ajax request can then include that authentication token from the current browser's cookie as a parameter of the ajax call and your server can then authenticate that the token belongs to a legitimate user.
If the user is not logged in, there will be no cookie and thus no token.
I have some questions about XMLHttpRequest using $.Post $.Ajax:
1- How the server side verifies if the request was sent from same browser?
2- How the server side verifies if session user who sent the request has been changed on same browser? (ex: user logout and another user login on same browser)
3- Do I need any special settings or PHP code at server side for #1 and #2?
Also please give me a link to good documentation about any security issues related to XMLHttpRequest.
Thanks
Browsers and servers use cookies to check whether request was sent from same browser. Every request will have cookies attached.
The basic idea about the sessions is simple. Whenever you send a request to the server, the session variable (if present) will be sent along with the request to your server.
Again, if you modify anything in session or clear the session, the response will contain the modified session. Since both request and response contain sessions, they can operate independently.
By using $_SESSION in PHP, you will be able to retrieve sessions in server. Just use $_SESSION['userid'] == to check whether it's the same user.
I understand you are a PHP person but take a look at node.js request and response objects for a better clarity about sessions.
Also you can encrypt session variables in server for security. Code Igniter session library is an excellent example for this.
It doesn't
By whatever mechanism it uses to track who is logged in for any other kind of request (presumably the data your server side application stores in the session will change)
No