I have been making good progress on a web based application over the past few months, however I realized a few vulnerabilities in the way I communicate information between client and server. I am using Angular JS and PHP as my main frameworks.
Upon logging in, I store user data such as username, id, and associated account names under a localstorage item which I then reference throughout the app for making different database requests. This also allows users who have logged in before to stay logged in when they revisit my site.
Well, anyone can clone a local storage variable, modify it, and resave it in their browser. This would allow someone with the right information to pose as another user when accessing my site. In other php POST requests I return whole lists of user with their database ID and username, so someone who knows where to look could get access to that information. Good thing I don’t store any valuable user information, however this does not seem like good practice whatsoever.
So maybe this question really has 2 parts:
How can I save the client’s information in a way that is unable to be tampered with? Should I create public variables near the root application level that can be accessed across my site instead?
Is there a way to hide the information in my POST responses so they cannot be viewed by dev tools? It doesn’t seem right that anyone can see the list of users with their database ID, but I need that information for when users interact with each other. My current goto method is using the php function “echo json_encode()” which can be seen in plain text.
Any advice is greatly appreciated. This is my first full feature personal project so there’s some things I just don’t know yet.
Advertisement
Answer
How can I save the client’s information in a way that is unable to be tampered with?
Encrypt it on the server. Never give the decryption key to the client. This is how JWT works.
Obviously, this doesn’t work if you need the contents to be available on the client.
Is there a way to hide the information in my POST responses so they cannot be viewed by dev tools?
No.
It doesn’t seem right that anyone can see the list of users with their database ID, but I need that information for when users interact with each other.
If you need to tell users that other users exist, then they have to know about them.
The database ID shouldn’t be critical information.
If you want to stop a user posing as another user, then use authentication. Require a username + password or something that represents them (like a JWT).