Comments on: AJAX Security Research and Findings - Round 2 http://www.102degrees.com/blog/2007/07/06/ajax-security-research-and-findings-round-2/ Web Programming and Design by Aaron Saray Fri, 05 Dec 2008 13:16:25 +0000 http://wordpress.org/?v=2.6.3 By: aaron http://www.102degrees.com/blog/2007/07/06/ajax-security-research-and-findings-round-2/#comment-256 aaron Thu, 03 Jan 2008 23:48:53 +0000 http://www.102degrees.com/blog/2007/07/06/ajax-security-research-and-findings-round-2/#comment-256 Hello, I'm still trying to figure out exactly how to pass the session/token. However, here are my thoughts: 1) php generate a token 2) php inserts the token into the javascript somewhere 3) ajax sends this token 4) php verifies the token sent matches the session. This is a one time token only, so it offers marginal security, but still some. HOpe that helps - I'm always looking for more tips myself. Hello,

I’m still trying to figure out exactly how to pass the session/token. However, here are my thoughts:

1) php generate a token
2) php inserts the token into the javascript somewhere
3) ajax sends this token
4) php verifies the token sent matches the session.

This is a one time token only, so it offers marginal security, but still some.

HOpe that helps - I’m always looking for more tips myself.

]]> By: Matt http://www.102degrees.com/blog/2007/07/06/ajax-security-research-and-findings-round-2/#comment-247 Matt Sat, 15 Dec 2007 04:58:14 +0000 http://www.102degrees.com/blog/2007/07/06/ajax-security-research-and-findings-round-2/#comment-247 Hey I had a question about your token security. I was reading a article that mentioned this (from darknet.org) about a server passing a token to the client then comparing them and was wondering if you got this to work. I really want to secure my ajax applications and I was thinking of using php to generate a token then storing that in a database and in a php session var then on the ajax page make sure the session matched what the db has. could you give me more detail about how your token security works and where you are actually storing the token? should i pass this token in plain javascript or is storing it in the users session ok? Thanks!! Hey I had a question about your token security. I was reading a article that mentioned this (from darknet.org) about a server passing a token to the client then comparing them and was wondering if you got this to work. I really want to secure my ajax applications and I was thinking of using php to generate a token then storing that in a database and in a php session var then on the ajax page make sure the session matched what the db has. could you give me more detail about how your token security works and where you are actually storing the token? should i pass this token in plain javascript or is storing it in the users session ok? Thanks!!

]]>