2

I am developing iOS app using phonegap. Users first have to register or log in. (ajax: post to php file on my webserver, like here: PHP AJAX login, is this method secure?).

Info needs to be sent to mySQL database, users can upload pictures, ...

Now I was wondering if there is a way to prevent other people from posting to my php files.

In my opinion, it would be quite simple to make some script to add thousands of fake accounts, or upload thousands of pictures.

I read: POST method, Ajax and Security?, but I don't seem to find a way to implement this in a phonegap app.

How do I make sure I am the only one who can use these php files?

Community
  • 1
  • 1
Tom Broucke
  • 249
  • 2
  • 13

2 Answers2

1

Save your PHP Session cookie and authenticate yourself using normal sessions in your app. That way you only have to authenticate yourself once.

Adam Fowler
  • 1,750
  • 1
  • 17
  • 18
  • I'm doing it this way. Had a strange problem where firefox wouldn't accept ajax posting from local file to webserver. Safari and phonegap do allow this (probably to do with cross-domain posting). It seems that phonegap handles my sessions correct. I will be doing some more research on session security using ajax. – Tom Broucke Jun 01 '12 at 08:47
0

You could add an auth token to the headers of your ajax request and check for this in your php. e.g.

  $.ajax({
        url: "https://your.url.com/page",
        headers: { 
            "Auth-Token": "auth_key2134"
        }
    });
Lee Crossley
  • 1,280
  • 12
  • 17
  • I haven't tried this, but I suppose you could find the html-source in the myApp.ipa. Isn't it easy then to just copy the auth-token? – Tom Broucke May 31 '12 at 11:52
  • It is "possible" to decompile the ipa: http://hints.macworld.com/article.php?story=20090216234229963 if this is a real concern, the other option is to have the user create an account when the app starts and pass the username and password parameters to your service. – Lee Crossley May 31 '12 at 12:05