jQuery的AJAX数据后安全建议吗？ [英] Security advice for jquery ajax data post?

问题描述

我使用jQuery AJAX发布更新回我的服务器。我很担心确保我已经制定了相应的措施，使仅我的AJAX调用可以发布数据。

I'm using jquery ajax to post updates back to my server. I'm concerned about making sure I have put in place appropriate measures so that only my AJAX calls can post data.

我的筹码是针对MySQL的后端上的Apache PHP。

My stack is PHP on Apache against a MySQL backend.

建议大大AP preciated！

Advice greatly appreciated!

推荐答案

任何请求的AJAX在页面调用可以使也可以由人在应用程序之外进行。如果做得正确，你将无法分辨他们是由从你的web应用或手/其他方式的AJAX调用的一部分。

Any request that the AJAX calls in your pages can make can also be made by someone outside of the application. If done right, you will not be able to tell if they were made as part of an AJAX call from your webapp or by hand/other means.

有两种情况，我能想到这些，你可能是说，当你说你要确保只有您的AJAX调用可以发布数据：要么你不想恶意用户能够发布数据干扰了其他用户的数据，或者你真的想限制的职位，以在多请求操作的流之中。

There are two scenarios I can think of which you might be talking about when you say you want to make sure that only your AJAX calls can post data: either you don't want a malicious user to be able to post data that interferes with another user's data or you actually want to restrict the posts to being in the "flow" of a multi-request operation.

如果你关心的是第一种情况（有人恶意发布数据/以其他用户身份）是否使用AJAX或没有解决的办法是一样的 - 你只需要进行身份验证通过任何手段是必要的用户 - 通常通过会话cookie。

If you are concerned with the first case (someone posting malicious data to/as another user) the solution is the same whether you are using AJAX or not -- you just have to authenticate the user through whatever means is necessary -- usually via session cookie.

如果你所关心的第二种情况，那么你将不得不做一些这样的问题一个独特的标记，在这个过程中的每一步，并存储在服务器端的预期令牌。然后，当一个请求，检查是否有在服务器端相应的条目为正在采取的行动和预期的标记匹配，并且该令牌还没有被使用。如果没有，你拒绝该请求，如果有，那么你作为标记使用的标记和处理请求。

If you are concerned with the second case, then you are going to have to do something like issue a unique token at each step of the process, and store the expected token on the server side. Then when a request is made, check that there is a corresponding entry on the server side for the action that is being taken and that the expected tokens match and that that token has not been used yet. If there is no, you reject the request, if there is, then you mark that token as used and process the request.

如果你关心的是东西比这两个方案的另外一个，那么答案将取决于您所提供更多的细节。

If what you are concerned about is something other than one of these two scenarios then the answer will depend on more specifics than you have provided.

这篇关于jQuery的AJAX数据后安全建议吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！