Safe crosscompany the exchange of data between AJAX and PHP


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
6 views
On a single server lies a PHP script for a friend is a site that uses AJAX. How to pass data between them to ensure confidentiality and the impossibility of forging (instead of AJAX maybe Flash, and the usual GET/POST requests on the sockets that easy, and it's like this here)?

The only thing that comes to mind is an additional script TAG and sockets + SSL. But it is not very convenient (because you can use flash without PHP). The use of secret keys does not seem to me safe — flash or JavaScript is easy to pull and postmaturity all the information. RSA — one-way send, but in reverse again — one can spy the secret key.

What are the options?
by | 6 views

6 Answers

0 like 0 dislike
It is obvious that you do not understand how it works openApi times trying all the time to compare what you need with this technology.
\r
There structure is this: have the client browser with JavaScript enabled.
There is a site server.
The server Vkontakte.
\r
When a person wants to login he clicks on the button "log in via Vkontakte". It opens a popup window with a page from the domain Vkontakte, there polzovatelei enters email/password data (login and password) are sent to the server contact. Server contact their checks and if everything is OK sends the data to the site server on which the person is authorized. The website server accepting the data, checks them and if everything is OK and authorizes the person.
\r
I.e. data authentication occurs on the server side, not on the side of JavaScript.
\r
To store the keys in the JavaScript/flash version and nobody does that. In any case, need more script on the server side-the client that will authenticate received from the server service provider's data and then transmit them to the browser (Ajax or something else)
\r
\rThe answer to the question above: how to determine that the visitor is already logged on the website of the service provider?
Very simply, a website-the service provider sets its cookie to the client. website-the customer puts on the page the iframe in which is loaded a special page of the website provider with special parameter type from=site-client. Website-the service provider receives a request of this page looks whether a person of his cook and if so, sends to the site server-client data needed and the website is the client already sends Ajax data to the browser user.
\r
All communication from the perspective of JS occurs within a single domain via iframe with website provider and a website with the Ajax client.
\r
All crosscompany data exchange (between the site provider and client) is already on the side of the server without the participation of the client browsers and the data impossible to intercept.
by
0 like 0 dislike
It all depends on whether it is possible to do anything, not client-side and server-side with the site of the person is the service. VKontakte exactly how it works, if I remember correctly.
(Well, to be completely accurate, there are two sets of keys, one for the complexity of life to those who will break, the second is really a secret, who knows only the server part).
\r
Ie, the situation is changing, and AJAX asks no your website, and the website, which then asks your (and makes it either many times, or after initial success puts the correct session cookie, etc.).
\r
Ie if the person is going to change anything on the client side, so anything that the server part will still refuse to handle it requests.
\r
The interaction between the client site and your site can be in any Protocol, because the user can not forge.
\r
For example, authorization:
\r
A — AJAX S — a client's site, U your website.
\r
A -> S: authorize me, here's my data (though how many times tampered)
S -> U: somebody wants to login, here is his data
U -> S: okay, the data is normal
S -> A: here's the session cook to work on
\r
Since in this scheme an attacker would have no control over the data between S and U it is nothing critical to do.
by
0 like 0 dislike
Was interested in your question and decided to investigate.
As it turned out, the authorization Vkontakte arranged with its Open API and reminds openID. Here it is written about him.
In fact, at the moment I can only help with advice (read about openID and Open APIs). In near future I will try myself to figure it out and I will unsubscribe here, if the question is relevant.
by
0 like 0 dislike
if you looked in the direction of the RSA, it is possible to do encryption with an open key. As I understand it, you want to transfer data from one domain to another? Then, this encryption type will do. But this is only a suggestion how to solve the problem, surely there are easier ways.
by
0 like 0 dislike
It seems so much easier than I thought.
What prevents simply authorize by login and password, the standard methods?
\r
Well done script, which opens a window with gives there login, and then exposes sesiu/cook? And then all scripts are already working with our site with there normal authorization...
\r
Or it is necessary to be safe from the curves of a query on our website? Well, if the queries sent by the client, the attacker will eventually be able to send anything, as you don't defend yourself, i.e. in this case without the server not oboytis.
by
0 like 0 dislike
Briefly:
curl and fscopen
With the keys you will bother, but using the same curl and fscopen as an additional measure.
And your flash or script can obtain data from scripts which perform these functions.
by

Related questions

0 like 0 dislike
4 answers
0 like 0 dislike
2 answers
asked May 22, 2019 by skygliderus
0 like 0 dislike
1 answer
110,608 questions
257,186 answers
0 comments
28,140 users