The question I’m about to ask is just because I’m curious. I think I’m doing the right thing, but I want to make sure it actually is the right thing. It’s about hashing.

The website I am currently building features several Ajax-ed components. First of all, users that are not logged in cannot use these components. Second, users that are logged in can only do their requests in their own name. It’s pretty easy to forge, because I send User-id’s.

My verification method is as follows. Each user has a column in the database that holds random information, like a 8-character random string. Alongside every Ajax request a user makes, this random string is sent as a hashed string. When the Ajax request is received by the server, this hash is matched with the user table to make sure the ID and hash are a valid couple. If so, the request is valid.

The ‘secret’ random string never enters the user realm and is not easy to be guessed, which means that the hash can never be generated by the user. Is this kind of securing a request safe? Are there any drawbacks? And would it be better if I would use some salt?

On a side note, this kind of verification really interests me. I followed a course in interaction design. ‘We’ have the principle of ‘knowledge in the world and knowledge in the head’. Hashing really uses that technique to transfer meta-data from the ‘head’ to the ‘world’ (and vice versa). Both the head and the world have their methods of comparing and decrypting the meta-data, thus making it impossible to impersonate a request. As long as the world doesn’t know what the head knows.

Well, that said, I’d like to know whether my requests are (relatively) safe. Thanks in advance!

Reinder