The Importance of Session Management and AJAX Security
I have been reading a lot recently about how insecure AJAX applications are, but I haven't been seeing many suggestions. That is probably because a bunch of people want to try to make a killing by ransoming off that information as consulting fees. It is easy to improve security for your AJAX application without paying a grip for it. None of the methods I'm about to describe are foolproof, but they should stop many of the drive-by service stealing that many of these attacks are describing.
- USE SESSION MANAGEMENT – I know it seems basic, but if you establish a session for your users when they come into your entry point, have your services verify that the session is valid before releasing or accepting data.
Now it is pretty easy to get around this by having your hack bot hit the home page first, but again it should stop some of the casual hacks.How to Do This:
- USE SSL – If you must set the session cookie, or accept login information, whatever you do, don't send it unencrypted. The simplest way to encrypt the user name and password are to mash them together with some key. The hardest way, is to AES-128 encrypt the user name and password with a pre-shared key. The way to do this is to bring the user into an standard Web 1.0 SSL login page. They will then receive their key. You can save their login information hash encoded with AES-128 as a cookie.
If your user can't accept cookies, then the best way is to attach a varying GUID to their URL string as a token for each request. This method is not very secure, but its better than nothing.
Anyway, these are a couple of methods to easily safeguard your site against the most basic hacks. As I have always said, if you have something that someone wants really badly, there is almost nothing that will save you. The best you could hope for is some type of intrusion detection, so that you could be alerted of their presence. You could also employ a service honeypot that would deliver false information to a would be hacker. That service could keep them busy long enough for you to detect them and boot them.
Anyway, I'll probably write more about techniques for securing your services even though all of your business logic is downloaded to the client. There are inherent problems with pushing that much logic in plain text to the client, but with the right comination of Web 1.0 techniques, and Web 2.0 techniques, you can easily establish a modicum of security.