Re: Securing AJAX requests with PHP?
- From: Alex Weber <alexweber15@xxxxxxxxx>
- Date: Mon, 20 Oct 2008 17:07:21 -0700 (PDT)
On Oct 19, 7:38 pm, phps...@xxxxxxxxx ("Bastien Koert") wrote:
On Sat, Oct 18, 2008 at 11:28 AM, Jay Moore <jaymo...@xxxxxxxxxxxx> wrote:
Yeti wrote:
Ok, but how safe are tokens?
Thinking of man in the middle attacks they do not make much sense, do
they?
That's what I was thinking too. If I'm deleting an entry from a database
with AJAX, I don't want someone looking at my Javascript and saying, "Hmm,
all I need to do is pass this info to this URL and I can delete at will.."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:http://www.php.net/unsub.php
True, but then my permission / auth / workflow schema defines all that. the
user won't like have that permission, the request will be logged and nothing
is ever deleted from the app in any case since I only allow soft (record
level flag ) deletes to ensure data integrity
--
Bastien
Cat, the other other white meat
A complement:
When authenticating users, always assign a new id after they
authenticate using session_regenerate_id()
http://br2.php.net/manual/en/function.session-regenerate-id.php
Alex
.
- References:
- Securing AJAX requests with PHP?
- From: Jay Moore
- Re: [PHP] Securing AJAX requests with PHP?
- From: Jochem Maas
- Re: [PHP] Securing AJAX requests with PHP?
- From: Yeti
- Re: [PHP] Securing AJAX requests with PHP?
- From: "Bastien Koert"
- Re: [PHP] Securing AJAX requests with PHP?
- From: Yeti
- Re: [PHP] Securing AJAX requests with PHP?
- From: Jay Moore
- Re: [PHP] Securing AJAX requests with PHP?
- From: "Bastien Koert"
- Securing AJAX requests with PHP?
- Prev by Date: Re: case-insensitive Class Constants possible?
- Next by Date: php "make test" failures
- Previous by thread: Re: [PHP] Securing AJAX requests with PHP?
- Next by thread: Re: [PHP] Securing AJAX requests with PHP?
- Index(es):
Relevant Pages
|
