ncyoung.com

Top->Programming->Web->JavaScript/DHTML

 - Older in JavaScript/DHTML: javascript hijaking
 - Newer in JavaScript/DHTML: augmenting session based security with secret tokens

Session based authentication verifies that you are logged into the application. What's called for is to verify that the action being asked for is part of a valid user-directed activity flow.

Look at how Amazon handles this. LOTS of people are logged into their amazon accounts all the time. There are three levels of activities you could do with your amazon account. The first can be done with the always on login and so is easy to fake using session riding:

- add to wish list
- see your recommendations
- use the gold box
- order by one click
- view your account page (a page of choices)

The next level you have to log in using an online form and lets you do:
- change your shipping address
- change your one click settings
- view your orders
- have an order sent to anyone else than yourself

It's easy to fall out of this second login state if you wait to long or play around with it in other ways. That's because amazon is keeping track of your user activity flow (is there a term for this?) to prevent session riding attacks.

Then there are things you just can't do, like reading your own credit card number. Since people right now are often doing ajax for the first time, I think there are common sense precautions like this that are getting missed. Startups are also notorious for sacrificing security in favor of growth (in fact it's sometimes explicit in their business plan). So ajax is likely to get a bad security rep for a while.






Dated: 04/07/2007