确保一个AJAX应用程序的最佳方式 [英] Best way to secure an AJAX app
问题描述
我目前工作的一个基于AJAX的网站的身份验证,并想知道是否有人对最佳实践的任何reccomendations了这样的事情。
I am currently working on the authentication of an AJAX based site, and was wondering if anybody had any reccomendations on best practices for this sort of thing.
我原来的做法是一个基于cookie的系统。基本上我设置的auth code cookie中,每个数据访问改变了饼干。同样,只要有一个失败的身份验证,该用户的所有会话被撤销认证,让劫机者出来。劫持会话,有人将要离开自己登录,黑客将需要发送到欺骗会议的最后cookie的更新。
My original approach was a cookie based system. Essentially I set a cookie with an auth code, and every data access changed the cookie. As well, whenever there was a failed authentication, all sessions by that user were de-authenticated, to keep hijackers out. To hijack a session, somebody would have to leave themselves logged in, and a hacker would need to have the very last cookie update sent to spoof a session.
Unfortunatley,由于AJAX的特性,迅速使多个请求的时候,他们可能会回来失灵,设置cookie错误的,并打破了会议,所以我需要重新实现。
Unfortunatley, due to the nature of AJAX, when making multiple requests quickly, they might come back out of order, setting the cookie wrong, and breaking the session, so I need to reimplement.
我的想法是:
- 中不那么安全的基于会话的方法
- 在使用SSL在整个网站(似乎有点小题大做)
- 使用该SSL认证做安全事务的一个iFrame(我只是八九不离十认为这是可能的,使用jQuery的黑客一点点)
这个问题是不是正在传输的数据,唯一担心的是,有人可能会得到控制,这是不是他们的帐户。
The issue is not the data being transferred, the only concern is that somebody might get control over an account that is not theirs.
中不那么安全的基于会话的方法
A decidedly less secure session based method
推荐答案
一个共同的解决办法就是散列用户的会话ID,并通过在每个请求,以确保请求来自合法用户来了(见的这个幻灯片)。这是从 CSRF 的角度来看比较安全的,但如果有人嗅探的数据也可能被截获。根据您的需求,SSL是始终将是最安全的方法。
A common solution is to hash the user's session id and pass that in with every request to ensure the request is coming from a valid user (see this slideshow). This is reasonably secure from a CSRF perspective, but if someone was sniffing the data it could be intercepted. Depending on your needs, ssl is always going to be the most secure method.
这篇关于确保一个AJAX应用程序的最佳方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
