Hi,
Well we all see in orkut and facebook, the way they have implemented reply to messages using Ajax.
They simply take the value from the textbox and then send it through ajax to a server side php (for facebook) and aspx (for orkut) which then saves that message in the db tables and reply back with appropriate message.
Cool all this done and implemented without any hassel
However now i start looking at this process from a hacker point of view. I have firebug and I see to which php file does the ajax sends message to. Hence what I will do is straight away put that url in the browser eg:
http://mysite.com/submitreply.php?reply=true&message=hi&replyto=username
and submitreply.php doesnt who if the request came from a authentic user or someone like me straightway put this thing in browser address.
Now I see orkut etc using some unique id etc to protect the system and uses this unique key to identify and authenticate user.
Cool understandable.
But my doubt is:
How do I make the syncronization of this unique key between client browser and server. i.e. I can use php uniqid() to generate a uniqid and send it across to server with ajax. But then information regarding this uniqid must already be there at the server, to which it will compare and if found correct it will take actions.
Now what I want to know is, how do I keep a sync of this uniqid. I dont want to use some flat files server side to save these uniqid.
All i need to know is whats the standard used in the market ?
Well we all see in orkut and facebook, the way they have implemented reply to messages using Ajax.
They simply take the value from the textbox and then send it through ajax to a server side php (for facebook) and aspx (for orkut) which then saves that message in the db tables and reply back with appropriate message.
Cool all this done and implemented without any hassel
However now i start looking at this process from a hacker point of view. I have firebug and I see to which php file does the ajax sends message to. Hence what I will do is straight away put that url in the browser eg:
http://mysite.com/submitreply.php?reply=true&message=hi&replyto=username
and submitreply.php doesnt who if the request came from a authentic user or someone like me
straightway put this thing in browser address.Now I see orkut etc using some unique id etc to protect the system and uses this unique key to identify and authenticate user.
Cool understandable.
But my doubt is:
How do I make the syncronization of this unique key between client browser and server. i.e. I can use php uniqid() to generate a uniqid and send it across to server with ajax. But then information regarding this uniqid must already be there at the server, to which it will compare and if found correct it will take actions.
Now what I want to know is, how do I keep a sync of this uniqid. I dont want to use some flat files server side to save these uniqid.
All i need to know is whats the standard used in the market ?
