PHP加密-JS解密。 安全问题
[英]PHP encrypt - JS decrypt. Security issue
问题描述
i have a bunch of websites of mine that need to call an external server asking for some data. 
我有一堆我的网站,需要打电话给外部服务器询问一些数据。 This server contains sensible information such as discount codes that need to be applied on the website, based on what the user is doing. 该服务器包含明智的信息,例如根据用户的行为需要在网站上应用的折扣代码。
Since i can't do a synchronous ajax call on users' actions (deprecated and bad practice), i'm doing it async everytime a user loads the page on these websites. 由于我无法对用户的操作(不推荐使用和不良做法)进行同步ajax调用,因此每次用户在这些网站上加载页面时,我都会异步执行。 The call retrieves all the possible discount codes but i'd like people not being able to decode it and get them for free. 该电话检索了所有可能的折扣代码,但我希望人们无法对其进行解码并免费获得它们。 The server creates a json array and encodes it as base64, then the JS in the user browser will decode it (atob() function) giving me the json i needed to work with. 服务器创建一个json数组并将其编码为base64,然后用户浏览器中的JS将对其进行解码(atob()函数),从而提供需要使用的json。
I'd like to apply an encryption to this like an algorithm for letters swapping or something. 我想对此应用加密,例如用于字母交换或其他的算法。 This means that even if the user reads my json result is not going to be able to read it BUT he could read it when my JS code tries to decode it (pausing with the debugger). 这意味着即使用户读取了我的json结果也将无法读取它,但是当我的JS代码尝试对其进行解码(使用调试器暂停)时,他仍然可以读取它。
So my question is: could javascript obfuscation solve my issue? 所以我的问题是:JavaScript混淆可以解决我的问题吗? My JS would contain the algorithm to take my string back to its original form but the whole code is obfuscated therefore debugger won't work. 我的JS将包含将我的字符串恢复为原始格式的算法,但是整个代码被混淆了,因此调试器将无法工作。 Is that a safe approach to the matter? 这是解决问题的安全方法吗? If not, how could i do it safely? 如果没有,我如何安全地做?
Summing it up, the system works like this: 总结起来,系统是这样的:
1.User loads page in website 1.用户在网站上加载页面
2.JSONP AJAX call asks all the available discount codes from my server 2.JSONP AJAX呼叫从我的服务器询问所有可用的折扣代码
3.Server gets the list, makes a JSON of it and returns a base64 string of this json 3.服务器获取列表,使其成为JSON并返回此json的base64字符串
4.Client gets this and when he clicks on something particular i decode the json and apply the correct discount based on calculations. 4.Client得到这个,当他单击某个特定的东西时,我解码json并根据计算应用正确的折扣。
I hope it's clear enough for you to give some suggestions :) 我希望您已经足够清楚地提出一些建议了:)
thanks! 谢谢!
1 个解决方案
解决方案1
1 2018-02-12 09:30:11
If you make your decryption on the Client machine, then there is no way of making it secure. 如果在客户端计算机上进行解密,则无法确保其安全性。 You could apply obfuscation, or other means of hiding your process, but ultimately there is a point in the code which makes the decryption, and is available to the client. 您可以应用混淆或其他隐藏进程的方法,但是最终代码中有一点可以解密,并且可供客户端使用。 You should not do that on the client side. 您不应该在客户端这样做。
You could maybe do this: 您也许可以这样做:
- Website loads 网站加载
- It sends request for promo codes, along with the user details. 它发送促销代码请求以及用户详细信息。
- You send only data that is available for that user. 您只发送该用户可用的数据。
In this way you do not need to encrypt anything, but it will involve some rethinking and change to server side logic. 这样,您无需加密任何内容,但是将需要重新考虑并更改为服务器端逻辑。
There is maybe another solution, which is hacky, and also requires server change. 也许还有另一种解决方案,这很hacky,并且还需要更换服务器。 Send the codes as you already send them, but send them incomplete. 按照您已发送的代码发送代码,但发送不完整。 Maybe remove last 2 or more digits. 也许删除最后两位或更多位数。 Then the user requests to activate promotion, and sends the incomplete code. 然后,用户请求激活促销,并发送不完整的代码。 Then you look in your table code that starts (like '%'), and create the working code on the server side. 然后,您查看开始的表代码(例如'%'),并在服务器端创建工作代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.