我建立一个Drupal的网站有很多的，将使用jQuery / AJAX发布用户特定的信息。这些信息是自我是不是很灵敏，验证表单数据没有被篡改过类似Firebug的工具，以及确保信息得到真正从指定的用户请求它仅仅是重要的。换句话说，我试图找出与阿贾克斯发帖时保护数据的完整性和真实性的最好方法。

在理想情况下，我想用一些知名的信息认证系统，如HMAC算法。但是，由于这种采用了对称密钥，我不知道怎样才能不暴露的秘密关键在我的JavaScript文件（这显然是可见的任何人）加密POST数据。

请纠正我，如果我有这个应该如何工作的错误观念。

例如，我的信息需要发送

 字段1 = X＆放大器;场2 = Y＆放大器;的uid = 10
 

...然后计算数据的散列用密钥一起。这是可以做到不暴露的散列函数在我的JavaScript code？

 校验：哈希（POSTDATA，SECRET_KEY）
 

...最后追加校验和原始POSTDATA。

 字段1 = X＆放大器;场2 = Y＆放大器; UID = 1和C =校验
 

替代

这是另一种我虽然被使用的登录用户的会话ID。然而，这不会检查消息的完整性......

在用PHP生成表单，我可以生成一个隐藏的输入具有以下

 校验：哈希（会话ID为当前用户，SecretKey的）
 

然后我会发布什么用Ajax是

 字段1 = X＆放大器;场2 = Y＆放大器;的uid = 10和C =校验
 

通过这一点，将是相当安全验证相应的用户（再次伪code）

  SSID =选择SSID从会话其中uid = $ _ POST [UID]
如果（SSID和放大器;＆安培;散列（SSIDSecretKey的）== $ _ POST [C]）{
     //用户确定
} 其他 {
     //无效的用户
}
 

解决方案

您不能做你想要做的事。基本上，你想验证一个不可信和不受控客户端上的一个组件（表单）不是由同一个客户端上的另一个组件篡改。你不控制客户端。你可以想出各种方法来使它的困难的有人做，他们的客户端，但最终你必须公开你如何做这些完整性检查到客户端。不管你做什么在你的表单脚本可以读取和该客户端上的人理解（它在客户端上运行，因此任何人与客户端进行交互可以逆向工程任何你正在做恢复使用的技术以及任何键/等等，你必须让你的计划）。

Web应用安全的基本规则是，你无法控制所发生的事情在客户端上，这样你就不能相信客户端的验证/安全方案是这样的。

在最后，这是不可能的，通过这种方案所提供的保护将是值得的时间和投资来实现它。谁被确定打破它就能某人。

I am building a Drupal website with a lot of user-specific information that will be posted using jQuery/ajax. The information it self is not very sensitive, it is just important to verify that the form-data has not been tampered with tools like Firebug, as well as ensuring the information is really requested from the specified user. In other words, I am trying to figure out the best way to protect the integrity and authenticity of the data when posting with ajax.

Ideally I would like to use some well known message authentication system, like the HMAC algorithm. But since this incorporates a symmetric key, I don't see how I can encrypt the POST data without exposing the secret key in my javascript file (which obviously is visible to anyone).

Please correct me if I have got the wrong idea about how this should work.

For example, info I need to send

field1=x&field2=y&uid=10

...then calculate the hash of the data together with a secret key. Is this possible to do without exposing the hash function in my javascript code?

CHECKSUM: hash(postdata, "secret_key")

... and finally append checksum to original postdata.

field1=x&field2=y&uid=1&c=CHECKSUM

Alternative

An alternative I though of was using the session ID of the logged in user. This however would not check the integrity of the message...

When generating form with PHP, I can generate a hidden input with following

CHECKSUM: hash(session id for the current user, "secretkey")

What I then would post using ajax is

field1=x&field2=y&uid=10&c=CHECKSUM

With this it would be fairly secure to authenticate the appropriate user (again pseudo-code)

ssid = SELECT ssid FROM sessions WHERE uid = $_POST[uid]
if(ssid && hash(ssid, "secretkey") == $_POST[c]) {
     //User OK
} else {
     //Invalid user
}

You cannot do what you're trying to do. Basically, you're trying to verify that one component (your form) on an untrusted and uncontrolled client is not tampered with by another component on that same client. You don't control the client. You can come up with all sorts of methods to make it harder for someone to do this on their client, but in the end you must expose how you're doing those integrity checks to the client. Whatever you do in your form scripts can be read and understood by the person on that client (it has to run on the client, so whomever is interacting with the client can reverse engineer anything you're doing to recover the techniques used and any keys/etc that you have to enable your scheme).

Basic rule of web application security is that you cannot control what's happening on the client, so you cannot trust client-side verification/security schemes like this.

In the end, it's unlikely that the protection offered by such a scheme would be worth the time and investment to implement it. Someone who is determined to break it will be able to.