I am confused by the fact that if you do authentication on the site using a jquery request, then we must allow to write a service or php allow a script (it doesn't matter what) to which to access and transfer the login and password in the JS script. That is, there is a JS script which contains the code for sending a jquery request - it can be inspected in the browser. It is also easy to use my service on another hosting (it is treated by checking where the Request came from). You can also collect packets with a sniffer and easily analyze traffic that is in the simplest json format. Of course, the user is authenticating himself on his computer and he doesn’t make sense to analyze scripts and break something, but I have a strong feeling that there are exceptions in the above written text. At the same time, in theory, I need to get back either an identifier or some GUID from the server so that I can use it in other requests and this is all in the browser (but I may be absent from the computer, but the attacker does not sleep), this is solved by changing the GUID with some time interval. I actually write on ASP and Mikrosovt itself takes care of secure data transmission mainly due to the fact that all operations are performed on the server and everything is encrypted. But there was a task to use asynchronous requests Jquery. Share your experience. How to save data from the attacker. A simple example: authenticated, remembered the identifier, using the identifier we order goods, but if you remove the identifier, you can order goods on behalf of the victim.

  • Well, firstly, the identifier needs to be transferred only to use it, but not for authentication, and the hash of the session in which the identifier is already stored is transmitted for authentication. Secondly, the protection mechanism has long been invented read about csrf. - sepgg
  • @sepgg Well, using tokens seems to be the only way to protect. Let's say change it every time a user requests a server. the user sent a request to the server with the latest token -> I looked in the database -> the correct token -> executed the request -> returned the new token to the user. But if the attacker filters the traffic, then he can continue my session. Somewhere I do not catch the main notes. - Max ProstoMax
  • https did not try to use? - Visman
  • @Visman That is, in $ .ajax ({type: "POST", url: "ServiceJson / WebServiceJson.asmx / changeLogin", write the full address https //: ...? Did not try what happens. In that case, the meaning of tokens if traffic is encrypted? - Max ProstoMax
  • Website if https only works, then ajax should https work, I think. And the token should still be used. - Visman

0