开发者

Penny Auction AJAX Security

开发者 https://www.devze.com 2023-04-03 22:57 出处:网络
I\'m currently developing a penny auction website to test my ability at programming javascript and using AJAX effectively. However, I have come across the problem of security.

I'm currently developing a penny auction website to test my ability at programming javascript and using AJAX effectively. However, I have come across the problem of security.

Firstly, I have been debating whether authentication should be handled server side or client side but have come to a decision that the PHP could handle this much more easily. For instance, when a user sends a bid via ajax to a php file on the server this will then check if the user is logged in and then then sanitise the data before the bid is entered into the database.

Secondly, Is there any way of encrypting or obscuring data being sent as due to javascript's open nature it see开发者_Go百科ms to pose a considerable threat?

Thanks.


Clients to web applications are inherently untrusted, since you have no control over what the user's browser is going to do. Therefore, never rely on the client to perform sensitive operations.

To answer your specific questions, definitely perform all the authentication and authorization checks on the server side. SSL/TLS encryption will protect data in transit between the client and server, but the data will unavoidably be unencrypted once it reaches the client, so you can't use encryption to somehow hide or protect data from the client and still expect the client to be able to do anything with it.


Security through obscurity is no security at all, as always. If the information you're keeping in JavaScript is so sensitive that it can't be seen and is a risk because of "JavaScript's open nature", it should not be in JavaScript.

0

精彩评论

暂无评论...
验证码 换一张
取 消