2 ?s-php object permanance & Forged credentials possible?

[jcanker]

I'm planning out some AJAX and I'd like to implement several security groups/levels to determine how much/what to display to the user, ie. employees can edit more information than the customer can--the customer can view his billing statement, the employee can edit it.  Managers can edit employee information, etc.

 

Everything is passed to PHP as POST to avoid URL rewriting as the simple hack.  There will be a salt login procedure.

If this security group id is kept as a property of a javascript object, is there any way that the user can essentially forge that and pass a different security identifier to php when the AJAX function is called? 

 

Issue two:  Does a php object stay permanent for a session or just for a particular script?  Will I have to recreate a php object on the JS side and pass the relevant properties to the php constructor everytime I want to do something? 

 

Sorry if these are noob questions; I'm new to AJAX and php oop.

[PFMaBiSmAd]

AJAX has nothing directly to do with HOW you implement any security. AJAX only ADDS the ability to a page that has been rendered in a browser to make asynchronous HTTP requests to the web server to retrieve and update information on the page without requesting the whole page again.

 

From a security standpoint, the only thing you do client-side is to identify the visitor (who he is.) All determination of his logged in state, what his group membership is, and what permissions he has is totally done server-side. You must identify the visitor using a unique and hard to guess and hard to reproduce identifier, such as a session id or a similar value stored in a regular cookie.

 

Item #1) Yes if you have some group id anywhere in the browser, it can be altered (no one even needs the code on your pages to send a HTTP request to your web server with any post/get values in it that they want.)

 

Item #2) Web servers are stateless. All data used on any page request is destroyed when the processing on that page ends. To cause any data to persist between requests for any one visitor would require that you store the data in a session variable.