How to protect javascript variables from being manipulated when posting to server?
Question
I'm building a simple mvc application in ASP .NET and I would like to keep all the user data of a session on the client side, ie that at each time the page is loaded the variables restarts from zero (for example, points in a game). That data would then be sent to the server side (as a post) to be treated and then returned to the client. I'm doing this as to not use a database and gain performance.
However, how can I ensure that this data can't be manipulated before being sent to the server? Excuse me, I'm kind of new to all this.
Thanks
4 answers
solution1
3 2011-10-01 02:52:59
Everything coming from the client can be manipulated, including javascript variables, FORM variables etc.
Always treat anything coming from the browser as untrustworthy. Always check if caller has access to the resource which is being requested, for every HTTP request. This is the cardinal rule for all web applications. It is generally done in the filter so, it is not so bad.
solution2
2 ACCPTED 2011-10-01 02:34:45
You could embed an HMAC in the data sent to the client so the server can verify it hasn't changed when the client sends it back later. But you also have to worry about things like replay attacks — even if a malicious client can't change the data, it can send old data that it received several reloads ago.
You say you're trying to gain a performance advantage by not using a database, but have you actually evaluated database performance and found it to be too slow? This sounds like you may be choosing a weird design for your application based on an unfounded assumption.
solution3
1 2011-10-01 02:23:47
您不能,最好的办法是在服务器端验证它们,并确保它们不包含任何恶意字符,您也可以使用哈希来验证变量是否已被手动修改,尽管它们仍然可以更改。
solution4
1 2011-10-01 02:24:21
当页面回发时, isn't保护或保留JavaScript变量的值。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.