Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing the XMLHttpRequest

Status
Not open for further replies.

URLJones

Programmer
Jun 14, 2004
42
CA
Hi. I'm releatively new to AJAX and was hoping someone could shed some light on an issue I have with the XMLHttpRequest. I would like to use AJAX on a company website that I will be working on, but security issues have got me a little worried. Namely, if I have something like:

Code:
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");

...

xmlhttp = new XMLHttpRequest();

...

xmlhttp.open("GET", "information.php", true);

...

I am concerned that the "information.php" file (or any file for that matter) could be accessed without my knowledge. It would be fairly easy to gain access to that file, thus allowing a user to open it and possibly corrupt my information. Is there a good way of securing this data? There are other issues such as Cookies and such that are of concern as well, but I have found some documentation on those issues already. Any help on the aforementioned question would be greatly appreciated.

Thanks!

- URL
 
If the file can be accessed just by someone typing it into the address bar (as in a normal URL) then what kind of security is that? AJAX just allows you to do the same stuff as normal, just through a XMLHTTPObject (ensuring you don't have to reload the page). If your information.php page is secured (via cookies or sessions or something) then using AJAX will not change that. If you are relying on someone just being unaware of the URL (security through obfuscation) then you are just waiting for trouble.

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch
[/tt]

What is Javascript? FAQ216-6094
 
The question is, if information.php returns important and valuable informations to the client, why do you need it there, why don't you put that part of the webapp serverside?

AJAX is mainly there to make the GUI experience richer, like a dektop app. You normally hanlde data and/or XML/XSLT,XHTML the user can have access to anyway. If you do something related to business logic or security on the client side, that is of course unsafe.

Bye, Olaf.
 
My PHP skills are lacking, but coming from the perl world, I usually have my server-side perl scripts look up sensitive data from a file that's in an out-of-bounds area for the web users (traditionally /var/ for me or ~/public-html for hosted sites). I keep database login information in a file such as /var/ and read that information rather than embed it in umpteen perl scripts. Apache (by default) sees only /var/ and down (except for some specials such as /var/ that are defined in the .conf file) and cannot be coaxed into coughing up the sensitive data.

By keeping the sensitive look-up data outside the browser-viewable world and inside the readable area of the httpd owner, I think you're "safe".
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top