Best way to protect integrity of ajax request

Question

I am building a Drupal website with a lot of user-specific information that will be posted using jQuery/ajax. The information it self is not very sensitive, it is just impor

Answer 1

As already mentioned by others, you can’t control the client side. And that means you can’t control and thus can’t trust what the client sends and anything could be tampered.

But now think about this: The less parameters you expose to the client, the less they could tamper. So try to keep as much parameters in control (i. e. on the server side) as possible. That’s what sessions are used for.

So you could store the parameters that are not to be changed in the session instead of sending them to the client where they are out of your control. All you need is to associate the form instance with the server side form parameters. You can do this with a random identifier that you use as key in the session data array:

$data = array('uid'=>10);
$id = generateRandomIdentifier();
$_SESSION['formdata'][$id] = $data;

Then when you process the form request you just take the form data identifier to look up the form data in $_SESSION['formdata'] to get the data for further processing.