Home/ Questions/Q 7591311
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T20:37:14+00:00

I have a question regarding cross-origin policies. I have a web app that gets

  • 0

I have a question regarding cross-origin policies.

I have a web app that gets data, usually in JSON format, via ajax.

When the web app initialize, a unique ‘key’ or ‘token’ is created from the server via ajax and is sent to the client, as a mean to identify it. The token is sent back on every ajax call for validation purposes. If it is not validated within two hours, a PHP script deletes it, and the user is required to authenticate him/herself again.

If the user sends another ajax call (i.e. if there is activity with the associated token), the token sets its expiration for another 2 hours.

On every call, I validate the token and then process the request. Everything works well but my issue is security-oriented.

Since the token is stored client-side (very crudely, like window.token = 'YTM0NZomIzI2OTsmIzM0NTueYQ==';), won’t it be possible for malicious users to inspect the code, copy the JavaScript including the token, and create another app that will access the same data?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since the token is stored client-side (very crudely, like window.token = 'YTM0NZomIzI2OTsmIzM0NTueYQ==';), won't it be possible for malicious users to inspect the code, copy the JavaScript including the token, and create another app that will access the same data?

    Yes.

    And possibly even more disturbing to you may be this: it doesn’t even matter how your token is stored client-side – they’d even be able to login using the same API you expose to your users for logging in. (And if you think you don’t have a login API because it’s a form-post or something similar, you’re fooling yourself – a form post is just as much an “API” as anything else… and can easily be replicated elsewhere).

    The cross-domain stuff has very little to do with anything – as that’s a client-side restriction of a browser – intended for the user’s protection – not yours. I can make any HTTP request I want from a desktop or a server. I can even setup a service which allows me to proxy all requests made to my service over to your service… so the cross-domain security in browsers is of no help to you.

    • 0