3

In my website I set some values to session object like "user_status", "user_name" and like so. The php file looks like this:

<script type="text/javascript">
 var logged = <? echo $this->session->getValueOf("user_status"); ?>;
</script>
<a class="show_message" href="#">SHow my status</a>

Well, I have a js script that pretends do an action according to user status in the website, so, I have this:

$('.show_status').click(function(event){
 //ask for user status
 if (logged){
 //do something
 }
 else{
 //do another action for visitors
 }
});

Walking around I thought if it is the best way flow data between session -> javascript, because if you inspect the page source at browser the value of user_status will be visible and could be riskable for website security.

Thanks in advance

EDIT:

  1. logged var only takes a boolean value.
  2. The js action must be executed each time the element #(".show_status") is clicked.
asked Jul 30, 2012 at 3:12
11
  • 1
    Walking around I have thong - Best ever. Commented Jul 30, 2012 at 3:15
  • 2
    sorry, be tolerant cause it is not my native language LOL Commented Jul 30, 2012 at 3:17
  • 1
    No worries Manix. I kid. Commented Jul 30, 2012 at 3:18
  • 1
    @manix there is nothing wrong with your English, had you not told us just now we wouldn't have guessed you're not a native speaker. I thought it was a typo. Commented Jul 30, 2012 at 3:19
  • 2
    @manix, you're awesome. I wish more SO users had your humor. :) I don't mean that lightly, either. Commented Jul 30, 2012 at 3:25

2 Answers 2

3

If the JavaScript is just being used for interface stuff, and doesn't have any back end effects, I probably wouldn't worry too much about the insecurity of handling that logic client-side.

If security is an important thing though, I would recommend you use PHP to write the appropriate JavaScript function. For example:

On the page being viewed, perhaps in the header, you have:

<script type="text/javascript">
 <?php
 if ($this->session->getValueOf("user_status")) {
 require_once('logged_in_user_functions.js');
 } else {
 require_once('visitor_functions.js');
 }
 ?>
</script>

In the file `logged_in_user_functions.js' you have:

function showComment(id) {
 //logic that shows the comment here
}
function showCommentSubmissionForm() {
 //logic that adds this form to the page goes here
}

Meanwhile, in the file `visitor_functions.js' you have:

function showComment(id) {
 //logic that shows the comment in a different way goes here
}
function showCommentSubmissionForm() {
 //logic to display a message saying the user needs to log in to post a comment goes here
}

Then you can add your logic into your page without having to check the user status. The proper behaviour is provided by virtue of which .js file was included:

<button id='add_comment_button' onclick='showCommentSubmissionForm()'>Add Comment</button>

This gives PHP (and thus the server, not the client) final say in what gets displayed to the user.

answered Jul 30, 2012 at 3:18
Sign up to request clarification or add additional context in comments.

6 Comments

I wouldn't advice inline code execution just to achieve a restricted action. In short, JavaScript should not be doing any private-access related type stuff in the first place. You can manipulate a UI via JavaScript console but at the end of the day, the server is the enforcer of data I/O. In this case, I'd set a constant or define a config.
Hmmm, I like this method, the only "negative" part is that my php markup becomes so chaotic
@manix, Chaotic how? Do you mean that the opening and closing php tags just look ugly? I can't disagree there, but functionally it's not all that bad. One thing that you can do to help clean in up is to use the same code outline to import (using require_once) the appropriate JavaScript functions. This would keep the whole logic in a single set of <?php ?> tags and could import the appropriate version of multiple JavaScript functions as needed.
@MichaelFenwick, brilliant idea, but what happened after the php is procesed? The js action will be displayed once time. It should be lauched in every .show_message click
@manix, the idea is to write two versions of the JavaScript function that define the proper behaviour in each case. I'll edit my answer to explain in a little more detail what I mean.
|
2

Assuming that user_status will be something like Active, then this isn't really a security risk.

If you want to hide everything from casualy prying eyes, you could try using an encrypted cookie, using something like How to save encrypted data in cookie (using php)? to encrypt your values.

answered Jul 30, 2012 at 3:16

1 Comment

yes, user_status only can takes the value of 1 or 0, and the cookie is actually encrypted

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.