How to keep a Javascript Function in the DOM even after a page load from another page?

Asked

Viewed 102 times

1

As far as I know it is not possible to keep the state of the DOM even after the page load, there is some technique or some way out to keep the Function in cookie or Storage(local, Session) to give later()?

  • 4

    Leandro, what is the purpose of this?

  • Next, I get from Rest server an encrypted JSON and also the javascript method with a single key to decrypt the content of JSON, when receiving this Function store it in gift giving Eval(). but if I give akgum page load I lose everything that was in DOM, I need to keep this method alive without Torage or cookie, but I see that this is impossible.

  • Why don’t you just save the key to decrypt the content?

1 answer

3

I wouldn’t advise keeping the information on one funcion. It would be better to modify the code and store only the necessary keys.

Also, Storage location is not recommended to store session information or "sensitive data" (source).

In this case, the use of a cookie. If possible, use HTTPS and the flag secure activated, which helps to avoid some attacks of the type man-in-the-Middle. How you need to access the key in Javascript, can not trigger httpOnly, so your page will be susceptible to XSS attacks (Cross-Site Scripting).

But understand that any key recorded on the customer does not offer good levels of security, it gives almost the same to use a Session id any, after all anyone who can access the information on your page can replicate the "natural" behavior of the system.

  • But the following key is not generated by cleinte but by Rest. When I send the Rest JSON object to the client I already send a javascript method with a single key inside the example method: Function a (b){ var d = "4jn234324uh234u4h3"; Return Decrypt(b,d); } In the next request it would be Function a (b){ var d = "5fg4df564gdf65g4fg654f"; Return Decrypt(b,d); } And consequently only the client could open the json content since all token and all key information depends on which is dynamic for each request.

  • 1

    @Leandrocurious Perfectly. I understood this. The only thing that is crooked in the answer is that you will not be able to use the flag httpOnly to access the cookie through the script. The problem is that your site will always be vulnerable to XSS attacks.

  • @Curious Leandrocurious But if it is dynamic for each request, why store, then?

  • 1

    @Leandrocurious In this case what you have is a token, counterattack CRSF (Cross-site request forgery).

  • The problem is in the page load since I receive the method and give Eval(); Within the client’s own call to the service, but when it changes page I no longer have the method I would have to save it in cookie and Storage that is what I do not want.

  • 1

    @Leandrocurious The correct thing is to change the page the server send another function and not use the previous one. Otherwise it will turn gambiarra. All CRSF solutions work this way.

  • But that’s the question.Fine, but since the customer’s call to Rest will receive a cookie since I send object to Rest and only receive JSON objects. How can I set an http cookie only by Rest for each client?

  • @Leandrocurious In this case, the loaded page needs to come with a built-in key and the other REST requests can return the next key normally. However, I don’t know if I’m missing the point, but there seems to be a problem. What happens if one of the REST calls fails? Imagine the case of the user’s internet connection oscillating. This procedure seems to me that will cause more problems than solving.

  • if the connection fails, use Try catch and in the exception send the client to internal error page, login or something like

  • The architecture is working well since the generation of the key, the creation of the JS method and Eval(); However in the page load of the other page I lose everything I had in Eval(); and as much as I have a cookie hash I no longer have the method to decrytar

  • Maybe if I generate another token just so that on the page load of each page I can request the javascript needed to decrypt the content.

  • 2

    @Leandroexact curious. This is the correct way.

Show 7 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.