I’m currently developing a penny auction website to test my ability at programming javascript and using AJAX effectively. However, I have come across the problem of security.
Firstly, I have been debating whether authentication should be handled server side or client side but have come to a decision that the PHP could handle this much more easily. For instance, when a user sends a bid via ajax to a php file on the server this will then check if the user is logged in and then then sanitise the data before the bid is entered into the database.
Secondly, Is there any way of encrypting or obscuring data being sent as due to javascript’s open nature it seems to pose a considerable threat?
Thanks.
Clients to web applications are inherently untrusted, since you have no control over what the user’s browser is going to do. Therefore, never rely on the client to perform sensitive operations.
To answer your specific questions, definitely perform all the authentication and authorization checks on the server side. SSL/TLS encryption will protect data in transit between the client and server, but the data will unavoidably be unencrypted once it reaches the client, so you can’t use encryption to somehow hide or protect data from the client and still expect the client to be able to do anything with it.