V
V
Vadim Stepanenko2018-03-18 22:27:43
JavaScript
Vadim Stepanenko, 2018-03-18 22:27:43

Can the user send an ajax request?

Всем привет! Может ли пользователь отправить ajax запрос? Он у меня выполняется по условию if, и может ли пользователь как-нибудь кодом выполнить это условие чтобы отправить ajax?
И как лучше защититься от подобного? Может с как-нибудь с помощью шифрования и ключа? У меня в теории, каждую минуту должен срабатывать ajax-скрипт, и думал зашифровать время через md5, и потом на в php скрипте сравнивать ключи, если все ок, то скрипт выполняется, но когда ajax отправит данные будет одно время (в юниксе), а когда сервер получит данные, время уже будет другое

Answer the question

In order to leave comments, you need to log in

3 answer(s)
V
Vladislav, 2018-03-18
@ddddasass

the user can do anything from the browser (on the client side) regarding Ajax requests, but he cannot fake the response from your server, but on the client he can do anything.
in order to advise something on protection, you need to know more data, but the fact is that everything that is stored on the client = not reliable data that you can rely on only indirectly

A
Alexey Nikolaev, 2018-03-18
@Heian

Yes, the user will at least be able to click "edit and resend" in the console. Encryption won't help here. You will not be able to protect yourself in any way from the ability to send a request manually, any tokens and encryptions will be available on the client to the user.
Usually protected from unauthorized users, a token that is unique for a particular session. Perhaps this is exactly what you need.

S
Stanislav, 2018-03-18
@ms-dred

Maybe, of course, even if you don’t have a script on the server, he will write his own and send it.
To protect yourself from such actions, you need to do checks on the server side, dig towards the csrf token, it will cut off requests from foreign domains, etc., but this will not be enough in your case, you also need to do checks, the frequency of accesses from one session, maybe some kind of key encode and verify on the server. There are actually a lot of options, everything is purely individual and it is probably not advisable to do some kind of hard check.
I personally try to avoid this, it makes no sense to do crutches when it's easier to cure a leg

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question