jQuery ajax security

Question

I have the following ajax call which checks to see if the user is a paid member, if yes it runs certain functions accordingly. This works but i\'m concerned about security. What

Answer 1

Pinkie what you should do rather than make this check on the client-side is never render code that is meant only for paid users on the client-side, like others mention, this imposes severe security holes since it's very simple to forge ajax requests with merely a firebug console.

Likewise, just "hiding" markup isn't going to cut it for you, so display:none; won't really accomplish anything in securing your website.

What I'd recommend is two-fold: firstly, don't even render javascript on the client that isn't meant for the user who is visiting. In this case you might even want to consider invoking a partial action method that decides whether or not to render what js code to the client, depending on the user credentials.

Secondly, there is only so much that can be done on the client-side, this means: every single method on the server side that is sensitive to the user's credentials should verify that the user is indeed allowed to access this functionality, and not just guess that if he's accessed that method, he must be.

Update

In the case you mention where you render a jquery UI dialog, as long as the buttons point to functionality thata verifies on the server-side that the user is who he claims to be, then you are "safe" (even though it's not the cleanliest code on the earth); what you should really be doing is render those buttons based on whether the user has the credentials you require.

Instead of checking if they have the required credentials in your ajax call, you should be making a query to fetch the portion of HTML / JS you were going to be rendering.