next »

[shawn-stark]

On the topic of dynamically updating components in a web page and security.
I have been pondering the security issues revolving around storing session ID
in a cookie.

When you make a request with xmlHttp you can provide a header
that holds info to be used serverside. During a browser request that reloads the
whole page cookies are some how sent in the header via a regular browser request
including that session id cookie. Though a server is fairly secure using this cookie
it is sometimes necessary to secure the request a little more.

My Question is where on the client side do you store session ID and other user
verification information to be used with javascript request operations and ensure
the user can't retrieve the information stored on there machine in a readable format.

I thought about interfacing a java applet in a way that the users information is saved
inside a compiled class object and able to be transmitted back to server to be decoded
against the same class definition that created it. This brings us into the world of java
beans, servlets, and jsp. I am very unsure on how to pass anything but string via a
post method (a post method is passing info in the header) or a get method passing info
in the url. Weather it is PHP JSP or ASP I would like to pass an object in its rudimentary
state with values saved within it back to server in a javscript, xmlhttprequest. 
I just want the information hidden from the user.  This is not a question about forms

[shawn-stark]

The solution I have found to this has nothing to do with
passing classes or objects but rather hiding the javascript
and css in a way a conventional browser is unable to
provide a readable format and securing access to only
the requesting domain where the inital loading script loads
other scripts via an xmlHttpRequest and appends the scripts to the current document. Some work around was required for
IE 8 but should work on IE 5 & 6. This requires the use of
mime types and server side scripting to secure file access.
Also requires htaccess support...

Sorry I cant elaborate on this other than to say
I don't see why keeping a SESS_ID on the client computer
is a security risk. I can however encode the id in an
unusable format and decode it later.

I can use json and javascript files to transport my objects
and make it fairly hard for a client to view the data
contained in them. This is the same with class files
and jar files. However I am unsure how to pass compiled
files back to the server, I was thinking a put though
uncommonly used might work......

Moreless I would like to pass statefull images from client
machine to the server my request_response system is
working on.

More information on my web OS will be provided upon its
completion... My trials with clientside are commencing
and though not using the standard methods of
transportation should also encorporate those methods.


Please let me know if you can provide information on how to
post compiled files via javascript without reloading page.