Today is a good day to code

The Importance of Session Management and AJAX Security

Posted: December 31st, 1969 | Author: | Filed under: Uncategorized | No Comments »

The Importance of Session Management and AJAX Security

Picture of IrvinI have been reading a lot recently about how insecure AJAX applications are, but I haven't been seeing many suggestions. That is probably because a bunch of people want to try to make a killing by ransoming off that information as consulting fees. It is easy to improve security for your AJAX application without paying a grip for it. None of the methods I'm about to describe are foolproof, but they should stop many of the drive-by service stealing that many of these attacks are describing.

  1. USE SESSION MANAGEMENT – I know it seems basic, but if you establish a session for your users when they come into your entry point, have your services verify that the session is valid before releasing or accepting data.

    Now it is pretty easy to get around this by having your hack bot hit the home page first, but again it should stop some of the casual hacks.How to Do This:

    1. The safest way is to set a session cookie upon entry with JavaScript. Most robots don't process JavaScript, especially if they are using an XML interface, so they wouldn't have received the session cookie.

      If you want to see how to set a cookie with JavaScript check the JavaScript libraries in my bothsidesofastory.com site.

  2. USE SSL – If you must set the session cookie, or accept login information, whatever you do, don't send it unencrypted. The simplest way to encrypt the user name and password are to mash them together with some key. The hardest way, is to AES-128 encrypt the user name and password with a pre-shared key. The way to do this is to bring the user into an standard Web 1.0 SSL login page. They will then receive their key. You can save their login information hash encoded with AES-128 as a cookie.

    This is complicated because you have to manage the pre-shared keys on the back end and expire them appropriately, etc… For many web 2.0 sites this won't work because the user name and password are sent over an XmlHttpRequest call, and are easily snooped. I would recommend using a JavaScript based AES-128 encryption package. There are many good examples on the web, though they will require some cleaning up for proper use. This will let you use something that is shared between the client and the server as the key, and encrypt the login and password. Once the server gets it, whatever the key is was already sent in the headers, so you can decrypt the user name and password and establish the user's valid session.

    If your user can't accept cookies, then the best way is to attach a varying GUID to their URL string as a token for each request. This method is not very secure, but its better than nothing.

Anyway, these are a couple of methods to easily safeguard your site against the most basic hacks. As I have always said, if you have something that someone wants really badly, there is almost nothing that will save you. The best you could hope for is some type of intrusion detection, so that you could be alerted of their presence. You could also employ a service honeypot that would deliver false information to a would be hacker. That service could keep them busy long enough for you to detect them and boot them.

Anyway, I'll probably write more about techniques for securing your services even though all of your business logic is downloaded to the client. There are inherent problems with pushing that much logic in plain text to the client, but with the right comination of Web 1.0 techniques, and Web 2.0 techniques, you can easily establish a modicum of security.