I’m working on a module in PHP which uses login authentication from another system and has the following characteristics:
- Login is done through form submission, which then bases on user login to allows access to different sets of sub-modules based on back-end processing.
- Page interactions are all done with jQuery. Communications with back-end are all done in Ajax.
- Submodules include reports and CRUD forms, each requiring access control so for example, 1 department can’t view report A but can view report B while another could view both. Forms are strictly available to certain groups.
- All AJAX requests return JSON
I could figure out the ACL at the back-end but I’m not sure about securing the AJAX requests.
The best I could come up with is having API key per user, per submodule and checking for user sessions on every requests.
Just to clarify, I can’t touch on the login process because it’s restricted to another system. I could only get cookies and query the other system to verify whether they are logged in or not.
What would you do to harden the AJAX security in a scenario like this?
Yes, you can … and must. You can’t trust the client to tell you if the client is allowed to access something.
Ajax requests are just HTTP requests that are made by JavaScript. The only difference when it comes to securing them is that the JavaScript you write must be prepared for a “permission denied” response (so it can display a suitable message to the user).
Normally you would just use a session to track a user’s log in status and they access level / roles. You say you have access to the cookies, use those.