0

I want to pass the user id and username stored in the session variable in php with an ajax request.

I know that i can print the values to the html of the page as a hidden text box, or as a jQuery data value, but i feel that this is not secure and that the user can make changes to the value and the ajax call will send that value which would make it in-secure. Please let me know how professionals handle this problem...

Thanks in advance!

ShadowZzz
  • 415
  • 2
  • 5
  • 17
  • The user can send any data they want to your server at any time. – Paul Apr 16 '13 at 02:34
  • so how can i solve this problem – ShadowZzz Apr 16 '13 at 02:36
  • It sounds like you have a larger security problem you need to fix first. You should always assume that your user can make up any HTTP request and send any input through POST or GET or Cookies, that they want. – Paul Apr 16 '13 at 02:37
  • I agree with Paulpro. You may want to hire a professional Pen-tester to take a look at your site. – Freedom_Ben Apr 16 '13 at 02:40
  • I do check for accurate values server side before doing any processing and use pdo when storing the data in the database to prevent any sql injections – ShadowZzz Apr 16 '13 at 02:43

1 Answers1

1

Professionals handle this problem by carefully screening all input, enforcing strong password standards (so that users can't guess other users' passwords), and by storing the credentials in the code on the page but rather by using a randomly generated session token to map the user's token to identity on the server.

Client's can easily send any data they want by circumventing all of your client code. You have to assume the client is evil and look at protecting your server from that perspective.

EDIT:

If you need some help with tokens and their usage, this question might help you: PHP cookies and member security

If you are new to security I would highly recommend the Web Application Hacker's Handbook. I have read it and it is very thorough and interesting to read.

There is also a new book out called the Web Application Defender's Cookbook that looks quite promising, though I haven't read it.

Community
  • 1
  • 1
Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • Ok is there any possible suggestions as to what methods i can use. The user details are saved ion the database securely and is encrypted. How would I pass the user details... do i make a session string and pass that so i can compare it witht he server or something? – ShadowZzz Apr 16 '13 at 02:41
  • 1
    Thank you! Those resources will be valuable to me. – ShadowZzz Apr 16 '13 at 02:44
  • 1
    Send the token to the server, and then on the server side pull the correct user credentials from your database (using the map of tokens to user IDs), and then send them from the server. This way the client never sees the credentials and therefore can't tamper with them (or steal them). – Freedom_Ben Apr 16 '13 at 02:44
  • So is it wrong is I publicly display the user id of a member, if it is only used for that purpose? (i.e. not returned to the server for a query) – ShadowZzz Apr 16 '13 at 03:51
  • 1
    Generally speaking you do not want the User ID of a member disclosed. There isn't much an attacker can do with the just the User ID, but if he can get access to your DB then the User ID is one less piece of information he needs to aggregate. If the user's need this information though, then it's probably ok to display it. – Freedom_Ben Apr 16 '13 at 15:40