Answer the question
In order to leave comments, you need to log in
Can the user send an ajax request?
Всем привет! Может ли пользователь отправить ajax запрос? Он у меня выполняется по условию if, и может ли пользователь как-нибудь кодом выполнить это условие чтобы отправить ajax?
И как лучше защититься от подобного? Может с как-нибудь с помощью шифрования и ключа? У меня в теории, каждую минуту должен срабатывать ajax-скрипт, и думал зашифровать время через md5, и потом на в php скрипте сравнивать ключи, если все ок, то скрипт выполняется, но когда ajax отправит данные будет одно время (в юниксе), а когда сервер получит данные, время уже будет другое
Answer the question
In order to leave comments, you need to log in
the user can do anything from the browser (on the client side) regarding Ajax requests, but he cannot fake the response from your server, but on the client he can do anything.
in order to advise something on protection, you need to know more data, but the fact is that everything that is stored on the client = not reliable data that you can rely on only indirectly
Yes, the user will at least be able to click "edit and resend" in the console. Encryption won't help here. You will not be able to protect yourself in any way from the ability to send a request manually, any tokens and encryptions will be available on the client to the user.
Usually protected from unauthorized users, a token that is unique for a particular session. Perhaps this is exactly what you need.
Maybe, of course, even if you don’t have a script on the server, he will write his own and send it.
To protect yourself from such actions, you need to do checks on the server side, dig towards the csrf token, it will cut off requests from foreign domains, etc., but this will not be enough in your case, you also need to do checks, the frequency of accesses from one session, maybe some kind of key encode and verify on the server. There are actually a lot of options, everything is purely individual and it is probably not advisable to do some kind of hard check.
I personally try to avoid this, it makes no sense to do crutches when it's easier to cure a leg
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question