Currently I am looking into ajax to fetch data for an admin interface. This also should involve some level of security since you can’t identify who is viewing the data once a request is made. The only sure thing is that a remote address is making the request.

There are a number of things I can think of to secure this.

  1. Add a hashed security code that will somehow identify the user within a php session.
  2. Make sure the user is logged in with at least a basic authentication in apache or other webservers.
  3. Give admin users a client certificate that will grant them rights to the admin interface

Since I will have all kinds of levels option 3 might be a problem. If it would only involve the admin user him/herself I would go for the option.

Option 2 is not something I would like to consider but I still keep it in mind. I would be able to identify users in a more or less tested way.

Option 1 is the option I am considering. The real question is, what would I test against. Users might be behind a proxy, this is all common knowledge. But what if someone is natted behind a proxy and the person is on a shared ip together with other users….

The real option would be to find a combination of client side identity that is shared with server side identity. I must think about some way of getting the cms to identify public keys that users must somehow upload, without sharing it with all the www-data users that is…

/me ponders……



Tagged: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: