1

I generate a session value for each visitor on my website. If they submit the form, it sends the data via a jQuery AJAX request to my PHP validator script.

This script performs several checks on the data the user submitted. If everything has been validated, it returns a sha256 hash which is generated with the function hash_hmac('sha256', 'success', $_SESSION['secret_key']). I hash this so users cannot manipulate the response with software such as Charles.

The jQuery request receives the hashed string and I have to hash 'success' with the secret key again to check if they match. However, the secret key is stored in a PHP session and I am not able to figure out how to get access to it through JavaScript.

An AJAX request to a PHP script would not be ideal — an attacker can then edit the response to make it match with their own hashed strings.

Indy
  • 214
  • 4
  • 12
  • You cannot access PHP session variables with javascript. Because javascript is client-side & php is server-side. You can use accepted answer of this http://stackoverflow.com/questions/4365738/how-to-access-php-session-variables-from-jquery-function-in-a-js-file , but then i don't see the difference between AJAX call and file load with variable in it. Because it's still easy accessible. – Gvidas Jan 13 '16 at 13:52
  • Why does the success or failure of user submitting valid data need to be hashed? Shouldn't the user know if they did something wrong? Especially if you want the user to check the match. What's the use case. In short, AJAX is only solution. They can edit the response, but if it's all done client side, they can still edit whatever they need to. – Goose Jan 13 '16 at 13:58
  • Yes, they get to know if they did something wrong. The success string was only an example: if they for example entered a wrong username it will hash `invalid-username`. jQuery will show a message depending on the result from the POST request. And yes, they can edit it, but they do not know their secret key and that way they are unable to have an influence on the result by hashing it themselves. – Indy Jan 13 '16 at 14:02
  • I'm failing to see the use case. Why not just tell them they entered an invalid-username without a hash? Why would that be sensitive information? If it is sensitive, why show a message about it? Am I misunderstanding? Either way, AJAX is only solution. As a rule of thumb, you can't get true security on the client side. – Goose Jan 13 '16 at 14:16

2 Answers2

0

I'll simply elaborate on my comments in this answer.

You say

An AJAX request to a PHP script would not be ideal — an attacker can then edit the response to make it match with their own hashed strings.

They can edit the response, but if it's all done client side, they can still edit it.

You want to send the data hashed, then you want the client to be able to check the hash, so I'm not sure what the point in hashing would be, other than security in transport. I can't tell you what you really need, because I'm not seeing the use case here.

I do know you'll either need to go to the server for something you want to keep secret from the client. There's no security on the client side.

Goose
  • 4,764
  • 5
  • 45
  • 84
  • The user does not check the hash, the jQuery script does. It hashes, for example, `success` with their secret key and then acts accordingly. – Indy Jan 13 '16 at 14:40
  • I edited my answer to use the word client. The user can do whatever they want with the client, including jQuery. Nothing that happens in jQuery is secret. – Goose Jan 13 '16 at 14:48
  • Thank you for elaborating. I think I will only use jQuery for the basic validation then. I'll then let PHP validate it again and perform the checks. – Indy Jan 13 '16 at 16:26
0

As long as you are using javascript in your php file, something like this will suffice...

<script>  
   var secret_key = <?php echo json_encode($_SESSION['secret_key']); ?>  
<script>
Goldbug
  • 605
  • 6
  • 8