douliangpo0128 2012-06-20 10:43
浏览 48
已采纳

这个AJAX场景中最好的安全指南是什么,特别关注身份验证?

[I hope that this question is not too broad, I think that the subject is very interesting but I incourage you to tell me if it's off-policy.]

My scenario is this:

  • I have a LAMP website who stores also sensitive data and documents
  • Only registered users are allowed to operate on the site, and only on certain data and documents. Users are stored in $_SESSION variables
  • Most of the pages implement a sort of rudimental permission control, but some important DB operations are called via AJAX
  • AJAX security is implemented very poorly, as anyone that is that smart can tamper with the request sending whatever id they like and delete records with brutal simplicity

Asking for a complete book on security is obviously a bit too much (and I'm already reading and trying a lot on the subject), let's say that my main concern is if AJAX pages should be treated with special regards, as I need to secure the whole software to prevent hacks and other problems.

  • 写回答

2条回答 默认 最新

  • duanbu1998 2012-06-20 11:49
    关注

    I have a LAMP website who stores also sensitive data and documents

    You should store as little sensitive data as possible. Especially when you are not sure how to keep this information secure/private. Use OpenID or something for your authentication for example. I really like LightOpenID for it's simplicity. I created a little example project/library to see lightopenId in use. It simplifies using OpenID by using openID-selector. When you use OpenID you also use secure OpenID providers the passwords are also not transmitted over the wire in plain-text but protected by https/SSL.

    Only registered users are allowed to operate on the site, and only on certain data and documents. Users are stored in $_SESSION variables

    Yup that's what sessions are for.

    Most of the pages implement a sort of rudimental permission control, but some important DB operations are called via AJAX

    You should read up on OWASP top 10. at least. (Don’t stop at 10.)

    AJAX security is implemented very poorly, as anyone that is that smart can tamper with the request sending whatever id they like and delete records with brutal simplicity

    See previous section. Read up on OWASP top 10 section at least. Somethings which a lot of people overlook for example are CSRF for example.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度