How can I protect user data that can be obtained by means of an Ajax request?

For example, on the bulletin board page we have the button "show the user's phone number". When clicked, an Ajax request is sent to the server with the ad id . The server accepts, searches for a phone number in the database and sends it back to the user in the browser.

Question:

Having all these id ads, you can get a whole list of phone numbers of users. How to protect yourself from this? I saw on some sites besides id in the parameters send crc (hash), which is equal to a random character set. If the server does not receive the RIGHT crc , then no data is returned.

How can this interaction between the client and the server be organized through the generated keys?

  • I made for each user my own code, which was stored in the user's cookies, and the degree of resolution. And on the server I already checked whether the user with this hash tag has access to any data. And + I with each request changed this user hash. Difficult, but safe, as for me - Yuri
  • @Yuri, Ie you generated a hash on the server, assigned it through the cookie. Then in Javascript got this value and sent along with the data via Ajax? - Pavel
  • @Yuri, it turns out that each visitor needs not only to generate this code and assign it via a cookie, but also to write it to the database. So that when the data from the user comes it can be compared, does this hash really belong to it? - Pavel
  • Well, about yes. - Yuri

1 answer 1

I also asked this question and, in turn, turned this scheme:

When registering a user, a special user hash code was entered into the database in a record of information about users and a cookie. When a user sent a request to the server, his cookie hash was checked there and checked with the information in the database to check whether he had permission to the data. If he had permission, I generated a new hash for the user, which I entered into the database and in the cookie (for security reasons from intruders, although it may be stupid).

And besides, I made the user input for this hash. In order not to record his login and password, I simply wrote down the hash in the cookie.

Personally, this is my approach, most likely there is better.