Securely passing variable from client side javascript to nodejs server
Question
I have a website made using php and one part of it is written in node js. The node js server and php share the mysql database. One part of my website is using nodejs which requires that I pass the user id from client side to node js server.
for example I am doing something like this
var user_id=parseInt(<?php echo $this->id; ?>);
The php part is in zend. so for those unfamiliar with zend this id is set in the controller for this particular view.
So when i view the source for this particular page the user id is clearly visible and if changed, a user can make changes to some tables in the database of another user if he passes some other user id instead of his.
What is the best way to hide this variable or some other approach which will help me overcome this issue ?
1 answers
solution1
2 ACCPTED 2015-07-14 18:12:21
You have something backwards here.
PHP is a backend language as well and Node is your backend language.
Now to communicate within them why do you pass the parameter to the javascript via HTML and then expect it to be secure
Best way to handle it is that you should either create some API on the node so the PHP can send the values directly to that.. by talking to this API instead of waiting for javascript to do it.
OR
You should create a token authentication system and use it so everytime php page is generated for this client, it creates a token with some random chars and then pass this token to the JS.. JS then requests Node with this token.. Node sees the token table and identifies the Client ID and that would do the necessary job.
Some kind of token/ auth should be used on the Node side else your server is not secure regardless.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.