Recover $_SESSION with Ajax

Asked

Viewed 588 times

0

It is correct/safe to set a Session in PHP and recover this value using AJAX?

I am creating an application using transparent Pagseguro checkout and need to pass a value as Reference (Identifier). However, because it is a restricted data, I would not like to leave it in the HTML Front. Then I did it as follows (example):

In the FRONT-END

<?php
  session_start();
  $_SESSION['ref'] = 123;
?>

<html>
  <head></head>
  <body>

    <button type="button" id="btnSession">Testar Sessão</button>

</body>
</html>

JQUERY SCRIPT with AJAX call

$(function(){
  $("#btnSession").on("click",function(){
        $.get("backend.php",
        function (res){
            console.log(res);
        })
    })
})

In the Back-End

<?php
  session_start();
  echo $_SESSION['ref'];
?>

This is working and it fits me perfectly. However, I would like to know if this is correct and safe for my application or if there is a better/safer/more effective way to do this with AJAX.

The purpose of this application is: I have an HTML form, I will pass its values to a JQUERY SCRIPT that will connect to PAGSEGURO and send this data via AJAX to another PHP page. This page will receive the data and validate the purchase. However, I need to inform a REFERENCE variable that is the user ID. And if I put this variable in my HTML, it risks being changed. So I thought to set the REFERENCE variable through a SESSION on the page that is HTML and then return its value on the PHP validation page. It is now clear?

3 answers

1

On the session, there is no security problem per se, only the problems inherent in the system itself SESSION (as Man-in-the-Middle, Session Prediction, Session Fixation and problems related to XSS/CSRF, especially if you are using the default settings in PHP).

You can read some suggestions of security here, since by default PHP settings are completely insecure, like everything else in PHP. Additionally recommend reading this.

The problem is in the Ref. You say it is "a restricted data", but this does not define exactly what it is. Well, anyone analyzing network traffic (even by "Network" in the browser) will have access to ref (due to echo $_SESSION['ref']), thus no longer a secret fact. This can also be data manipulated by the client, like any other data, since the AJAX code is controlled by the client.


In addition, there may be problems that are unrelated to security. For example, the $_SESSION['ref'] CAN be modified if user enters another page, consider:

Page-1.php

$_SESSION['ref'] = 1

Page-2.php

$_SESSION['ref'] = 2

In its code the ref is not changed, has only one and is unique. But, considering that it can be changed (there are more than one product, for example). If the user accesses the Pagina-1 will have the 1 as set as the value. However, if in another new tab/window you access the Pagina-2 the ref will be changed to 2. Now comes the problem, if he opens the window that’s with the Pagina-1 open when executing AJAX Pagina-1, it will use the value 2 and not the 1.

This is not a security problem, but it is a serious usability problem and undesirable behavior.


About use JWT and Token, commented by Fabio William Conceição, is unnecessary. After all the session already has a token (the PHP_SESSID is a token if analyzing) and it is used to access the data of that session ("the archivers there on the /tmp"). JWT can cause more problems, I would recommend Paseto (It does not use archaic algorithms like JWT, and does not easily alter them, and strengthens better algorithms like Ed25519, Chacha20poly1305 and Blake2), but would not recommend use in this case. This would be useful only if you do not want to save the data on the server. Remember that both your current solution, such as the JWT and the Paseto are not able to defend against the replay-attack.


About having better solutions: there is. There is a better way to achieve the same goal. But, there are no details in the question (no matter where the ref, that it serves, if there is another authentication, because it is secret...) and none of the solutions I thought would be as simplified as what you did, added this prevents to post here a "other solution".

  • I understood friend, I will read every link you shared with me, thank you. In relation to the 3rd stanza of his commentary, the " echo $_SESSION['ref'] " was just an example... in relation to the 4th stanza, the " $_SESSION['ref'] = 123; " was another example too... What I need to do is the following: I need to pass a REF variable that identifies the user. If I put this REF in the html, the user can change it. So I thought to set a Session with his REF and then return this value on the page that AJAX will access, so everything is in PHP. Got it?

0


This is not incorrect, but it is not a good practice at all because the $_SESSION and everything it encompasses within the object of it should be accessed only by the scope of the context itself that it applies, translating, only by the backend.

If you need to manipulate objects or anything within the backend and need something to be changed in the context of $_SESSION you should have an access to it that is not implied as you are doing, a token, JWT or anything like that.

But considering the style of script you’re doing apparently is something you’re still learning.

But in the world of PHP you have to take care of all superglobal variables ($_XXXX variables), because basically these variables can (and do) do a great deal of damage to your application if someone from the outside has malicious access to them.

PHP gives you a lot of freedom, but that freedom comes at a price, which is really high, so try to be careful about that.

  • Interestingly, would you have any link on the material you mentioned to me give a studied please?

  • The beginning of the studies comes here -> https://www.php.net/manual/en/features.sessions.php

0

Session is a value that should be used on the server side, handling it in the frontend is not a good practice, it is not safe as it is much easier to have access by other people.

If you’re integrating PHP with Pagseguro, you can do all server-side operations, all in PHP, avoiding traffic sensitive information to the client.

On the Pagseguro page itself there is a library with examples: https://m.pagseguro.Uol.com.br/
There’s also the project on Github: https://github.com/pagseguro/php

That is, avoid traffic this information, make an ajax call with minimal sensitive data and leave the code on the server part with PHP.

  • I got it. I’m basing myself on the Pagseguro library, but there they pass this Reference to the Front and I didn’t find it very safe. So I wanted to do this intermediation of the form page and the validation page in AJAX. If I do without AJAX is quiet, but via AJAX I have not found a safe method yet.

  • I don’t understand the "manipulating this on the frontend is not a good practice". Manipulation still occurs in PHP, therefore on the server.

  • PS: I didn’t give negative.

  • manipulating the frontend I meant taking the value of Session and bringing it to javascript, I meant that you can do it all in PHP without needing this value in javascript ;) well I didn’t understand the negative, but anyway

  • @Inkeliz I had thought the same... despite being an HTML page, above I put a PHP setando a SESSION, so I thought it would be safe and good.

  • @Ricardopunctual I do not pass the value of SESSION to Javascript. I just thought of using SESSION not to do this... on the HTML page I insert the SESSION with PHP at the top and then return this value on the last PHP page that will be accessed via AJAX. Got it?

  • but if it runs echo $_SESSION['ref'] is returning the value of Session to the right ajax call?

Show 2 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.