XMLHttpRequest Security? - javascript

I have some questions about XMLHttpRequest using $.Post $.Ajax:
1- How the server side verifies if the request was sent from same browser?
2- How the server side verifies if session user who sent the request has been changed on same browser? (ex: user logout and another user login on same browser)
3- Do I need any special settings or PHP code at server side for #1 and #2?
Also please give me a link to good documentation about any security issues related to XMLHttpRequest.
Thanks

Browsers and servers use cookies to check whether request was sent from same browser. Every request will have cookies attached.
The basic idea about the sessions is simple. Whenever you send a request to the server, the session variable (if present) will be sent along with the request to your server.
Again, if you modify anything in session or clear the session, the response will contain the modified session. Since both request and response contain sessions, they can operate independently.
By using $_SESSION in PHP, you will be able to retrieve sessions in server. Just use $_SESSION['userid'] == to check whether it's the same user.
I understand you are a PHP person but take a look at node.js request and response objects for a better clarity about sessions.
Also you can encrypt session variables in server for security. Code Igniter session library is an excellent example for this.

It doesn't
By whatever mechanism it uses to track who is logged in for any other kind of request (presumably the data your server side application stores in the session will change)
No

Related

How can I detect ajax request comes from my own application?

My website returns a JSON string contains database result when you call the URL through ajax. It's actually public. I mean everybody can send an ajax request to my website and simply get the result neatly (currently my website acts like a free API).
Now all I'm trying to do is authenticating all requests and just response the known ones. So I think I need to pass a token with along each request for identification.
My question: How should I make that token (that no one else can)? And how should I identify that token on server side?
If your "website" and the "app" that calls your website reside on the same domain. Then this can be done server side.
First CORS will stop any java-script app from replicating your client code on another server and calling, or the lack of.
Second. On your server just check that all incoming calls are from the same HOST or the host you want to permit. This would reject any calls that did not originate from the same domain - which you control.
I don't know what language you are using so i can't post code.
I suggest you use jwt to authorize. U can achieve this by requiring that a user log in first and respond with a token on successful request. This token will then be used for subsequent requests

Send AJAX request without any cookie

The situation is as follows:
I am logged into a web application and there is an HTTPOnly-Cookie stored with a JSESSIONID. The backend I am sending requests to is running on the same website/url as the frontend application. Now while I am logged in as User A (identified by the cookie with the JSESSIONID), I need to do a single request to the same backend but without this cookie! Whenever I send a request to the backend, this cookie is automatically sent too though.
So how can I tell an AJAX request to NOT automatically send this certain HTTPOnly cookie - or even any cookie at all. I know that this can be achieved for Cross-Origin calls (see "withCredentials" flag). But this does not help since it is no Cross-Origin call...
Can anyone help me with this one?
Thanks and best regards

Securing jQuery AJAX requests

I am developing a Chrome extension which will be sending data via an AJAX request using jQuery. I need to ensure though that only the logged in user has send the request. This might not be the right approach trying to secure the AJAX request itself so any advice is appriciated.
you cannot secure Ajax requests on client side as every one can request to your APIs if it's included in your JS.
but there are some workarounds which you can choose to have more secure interact with your server:
you can send encrypted data
you can also obfuscate your code to make it much harder to read
use SSL to protect data from snoopers
EDIT:
as you mentioned if you want to make sure a user is logged in to do something you can use encrypted cookie and a token as mentioned in another answer. but if you want to prevent requests and not rejecting them maybe above solutions will help you.
To make this work, when the user logs in, you need to set a cookie that contains some sort of authentication token or session ID (usually some unpredictable string of characters) that is also stored on your server.
Your Ajax request can then include that authentication token from the current browser's cookie as a parameter of the ajax call and your server can then authenticate that the token belongs to a legitimate user.
If the user is not logged in, there will be no cookie and thus no token.

Is it possible to restrict an API to only one web interface/app?

I have a question regarding cross-origin policies.
I have a web app that gets data, usually in JSON format, via ajax.
When the web app initialize, a unique 'key' or 'token' is created from the server via ajax and is sent to the client, as a mean to identify it. The token is sent back on every ajax call for validation purposes. If it is not validated within two hours, a PHP script deletes it, and the user is required to authenticate him/herself again.
If the user sends another ajax call (i.e. if there is activity with the associated token), the token sets its expiration for another 2 hours.
On every call, I validate the token and then process the request. Everything works well but my issue is security-oriented.
Since the token is stored client-side (very crudely, like window.token = 'YTM0NZomIzI2OTsmIzM0NTueYQ==';), won't it be possible for malicious users to inspect the code, copy the JavaScript including the token, and create another app that will access the same data?
Since the token is stored client-side (very crudely, like window.token = 'YTM0NZomIzI2OTsmIzM0NTueYQ==';), won't it be possible for malicious users to inspect the code, copy the JavaScript including the token, and create another app that will access the same data?
Yes.
And possibly even more disturbing to you may be this: it doesn't even matter how your token is stored client-side - they'd even be able to login using the same API you expose to your users for logging in. (And if you think you don't have a login API because it's a form-post or something similar, you're fooling yourself - a form post is just as much an "API" as anything else... and can easily be replicated elsewhere).
The cross-domain stuff has very little to do with anything - as that's a client-side restriction of a browser - intended for the user's protection - not yours. I can make any HTTP request I want from a desktop or a server. I can even setup a service which allows me to proxy all requests made to my service over to your service... so the cross-domain security in browsers is of no help to you.

unset session in Javascript

Does anyone know is it possible for me to reset/remove the session for php in javascript?
There isn't the concept of "session" on the Client/JS side - it is a construct/state of the server side.
Of course you could be sending an indication back to the server if you wish: you can use AJAX to do that.
Keep in mind that Javascript runs on the client, after the page has been downloaded. Session data exists only on the server. As such, Javascript (on the client) cannot touch session data (on the server). You'll have to communicate with a server-side PHP script to handle session-data. You can make asynchronous calls via Javascript to the PHP scripts. This would be the only route.
Example using jQuery
$("a.signOut").click(function(){
$.post("signout.php", {}, function(){
alert("You've been logged out.");
});
});
Session management is all specific to the server side environment. In order to manipulate the server-side session, you will need to issue a request to the server. If you need to do this asynchronously (via javascript) then you can always use an AJAX request that will allow for asynchronous communication between the client-side environment (the user's browser) and the server-side environment.
PHP will store session information on the server side, but use an HTTP cookie (that the browser is responsible for sending back on each request) as a "handle" to the server-side state. So if all you want to do is clear the session completely (so that on the next request PHP will start a new session), you can use the document.cookie object in JavaScript to manipulate the cookie directly.
Peter-Paul Koch's eraseCookie() function is probably the easiest way to do this.
you can do that by posting to another page to unset sessions
$.ajax("/unset_data.php", {"cache":false});

Categories