问题
Is it possible to generate a random number with jQuery, then post it to the server in a form without the user being able to find out the number? I know I can "hide" the output, but can I hide it from firebug too?
Could it be done with something like jCryption, or is this actually impossible with jQuery?
回答1:
Nothing you do on the client-side should ever be considered safe from the user's manipulation.
回答2:
No. It is not possible. Every connection between the browser and the server can be intercepted by the user. Open your console in Chrome and open the 'Network' tab to see what I'm talking about.
Select anyone of those fancy looking rows: in the panel that just popped out on the left select "Headers". Tad'ah!
Under "query string params" you'll see all the informations your browser sent to the server for that request: you can see them URL encoded, or even well formatted.
If you send an Ajax request via jQuery, the sent parameters will appear there as well. If any random guy with free software can intercept sensible data, I'd recommend to compute this data elsewhere instead that on the browser.
I don't know what you're trying to do but if you have a number you don't want your user to know, that number should only travel on the server.
回答3:
You cannot do what you want as you described but the way to do something similar is to have the server generate and return it for you encrypted.
The gist:
- $.ajax to post to server side script
- Server script generates i.e. Guid -> using server side encryption key generate encrypted Guid this will be quite hard to crack given a decent length key and the length of a guid)
- Return it to the $.ajax call.
- Then when the form is posted back the server can decrypt the form submission (as it and only it knows the encryption key
HTH if you hadnt already thought of it
来源:https://stackoverflow.com/questions/17885600/securely-hide-jquery-result-from-user