If I have a website with login and session management, and the pages uses ajax to send form data to the server side.
How do I protect anyone from just saving the HTML and JavaScripts, and thereby completely bypassing the login and session management?
Do you generate a token on successful login, and send this along with the JSON string, so the server side script can check against this?
If so, does there exist solutions for this that I can just use, so I don’t have to write them myself?
I am interested in both Djando and ROR solutions, as I am trying out both right now.
You should implement logging in on the server. AJAX requests exist within the same session as regular request, so if someone is logged in, they are logged in for the AJAX request too. If the user is not logged in, you can check this for the AJAX request too. Check on the server if a user is logged in and return an error code if not.
The server should never rely on the client to tell it whether someone is logged in. The only client data to use for that is the session token, combined with the IP address if you want to be more secure.