Jquery + Codeigniter $.post security with sessions and cookies

[eluser]markanderson993[/eluser]
Hello Codeigniter experts!

I'm trying to secure my jquery (AJAX) and php communication so to only work through my site (and not a third party). I researched a bit and found that I should be sending a "nonce" (my cookie session name) which I'm unclear on and should be authenticating that against my session_id in the database.

So, in the end, query would send a $.post('controller/method', {variables... 'nonce' : cookieSessionName} and the controller method would authenticate the nonce variable by encrypting it with my session key and seeing if they match up. The only problem is, I can't ever get them to match up.

Here is a bit of test code I have and the result:

Code:

function security() {
        $this->load->helper('cookie');
        
        // Raw Cookie
        $cookie = get_cookie('sessionCookieName', TRUE);
        
        echo $cookie;
        
        // Encrypted Cookie
        echo "<br />";
        echo $this->encrypt->encode($cookie);
        
        // Session ID
        $session_id = $this->session->userdata('session_id');
        
        echo "<br />";
        
        echo $session_id;
    }

Result:

WJHgA1mN3l01iH0iAEtcv6S7EGXEJP2wYvcKNDFi8OGdhjTMb0CZOPpDMlFA1HDaBzJyKb/3JeiaE44TY0GHsOYtSDfSHAdMzf2w0s8nGvfRbUYUN7QAXpvql1JFqBpHbRBTY3u7IUO5VAX4BodjxJaMzlBQQISgu46d4ibTv3i4ZiL2O7ijtsJo09IQSK2twIaqMJPZ+8IZhvpsmZjjjdKpcQCL09ryJiG2J6ToUtSeudTLZb33v8HThbbsbgrkkJaDhxwAlXn9TgMlnTJrkfRm8y0Bat2fT9Ru/hBKoXgC92b8B5F0+cNQ4o6PmfCoWldZcMxdEh5aJbZM9P/aeKbYykjLFpeF1Qeo3sn3LdYD6jOEYlKVMkzu1I65uB5G/pKcMfT4TvBZibAEt4PeXYUbKWZD6prOKkAVoO4hljxxFEl4oL+WFfwxSAqoUIz6T5MdtfHxTKqZBfR/s/wz3Gwl4idbpdZ1o8erC44LF+3i5cLlvUpuI5tdzvLLiRQdvcLSJNkPbMm/tFIvaFoNhPQ1bDsFrbU1WANxXrgxWYO8X8J5cl/LUuvJ8k/1vN5xTzniS2oZeqerahB5/aeZtMaA47x+uLmwmLP9bwZUB5UACSI+kWlwMov204T48QSQ
wYcj1MhHswzeKXzdRQHDLZ3Eshwelc2zB4X3EJLMXXperQF+DAZaO6N1hbDLh4Ib3tDLucX2U60ncx3jKqsVIEnKke9zedNgkmS8TqVA+f4aX9kneLKHpWSrc0U86C1LponN49rpQN6pzdRYClcwxA0Z8KHL98GlD9WsR8jhqdMSfACub6cKYff/D2h6CDocDC7O8+/+DUuXD4QVW23RhkPTYCmL5/0Xk2hRPLJ/ER+1jq535c0GVfGUvN2RsRcMsdYZMvsGgwwgRip1AtlOeGvnrxrke2P/kFDBAEv2eKraDMz0DrgatyD2EA3zMk4xqSyOf8B1Lg7YIKVCjb1roEPT4crGhmJJg0NsvLzJ5HUAJ3Vs7VpBs7DXKzt+cGuOMqg8sIzocwFbluSDfXBdwZLpjmxmpSSkMjVaGANvd8OLyVqqHpTc4fX7N8w6gDry0RY72/QO0jQiHST2cWNAjEFIUT2zw45T/f/SRTqnER5UFbAM6oSdtEn2PHA7VRGd6icMEW3VGFI2BExEmi9tSKKj0Ev4Y3Q6MQGUHcsIJdTLYZet6x4L7NXsA2KYxeeYj8pobQ6BeaorO6RJSwa5/XTZ3JiVW3KW/zVkRkllyMlx4zE5Eupmh8Nqt6+gEo7gRj2G05+/0YksGQh13cVEj7rGWYoI+96OG84rFPJ58qpS1hf48AZksTSLAsuExnk3ACBYW7pq2WTYVWDUp7jvk5EVrgCCxzcKRS1Tf1puEBUFxxGFjwIVNYrBQOBw1cLr5VeKOtx+ZY5Hs9ltCcBDVZI9LSVKKj2dO7Z+KCRhbt1dNSfnFkC2qAm+m+EXA5p7rLNhSctkI5h15q7kMtkzUXVVRLnAzkqtX63mParFCt0Z45y4QGjxXv37FJ4jZZ0Ff9mcEywn77rdVYe0D0cpPNt0RlICimcHiatif0Fep+RTdclqPQAkT/lR5qlzwmSSXXpxNK0bu9sWzCNQjkjxieCmXWn4GkimjmkC8ewM0cH86bcuws5mzWbEr2hUzNLYoD2iFvHjCnnHzxhfVZi8UpgshA9DmborHdoQz7jxvg/7dazjMUbtv8hZxEwTq3pAwtu/0U4uib+ztdt4RHJnsylnX9H9vjWSafjwOjRw8Rar3zygIfRNzT7IPgDvLaY0/pmIzzOr7IB2tmBd15AbukOU9qqjGNd6mF05PrvK78vPU0tBMhJHtbuAriXInH5HhmMCAJGALIb8vYpqB6dOaRKJzAjmswIf2yU4jJuvKzibFDiJwvI56+2iLE8bQkT4sTnqh0n9+BXsiUIvHzcBJ5HQv6BxC+EoL6pm3jrU4PxU3QpM+vyrt+rHKI39VONrbf9Ns+dnT0Vj552psV9NlT1ugVWb2fuz4Ny0+XPeDNf8E1XslGTJ3ZUcvgpqvqEbE9kqGKwOJLgQJFSt1gxQdl142zx5DxBDm9L6Ux/ddx78vjcS78ebIcW8ep1Lmq9c4631C5r8RbCVKMIHKUoc/ycCmgSYuTeSYhrctpbnZiJ1hGe23GU/0IAODHBlmfh0yvlE2w5HVpLlnAu49y4rTwFRqYraW4ppGykoSRXVz7hX02RFl/Z3izXrSZEbD7PN5GAlpjGV7COpW1ytbn4VJzt3Qz7tXsZWVzCHjdBmuNoPm8EQ4zzevT9m7HoB7Q0Pcba1EePExGi1sqb4o0y5JYu3MbJiUXiBlyPjJeFN4FBcpaNpOAGvVVlc6g5toJ+78pkjkEmGRHt8Cgo8Z2LVow==
ff80e27777e70e3451da3476f95c26aa

Any help would be greatly appreciated! Thanks!

[eluser]theprodigy[/eluser]
Using CI's default encryption, the same data will come out differently each time.

Code:

print_r($this->encrypt->encode('test') == $this->encrypt->encode('test')?'True':'False');

I believe you should test the DECRYPTED data against each other, not the ENCRYPTED.

[eluser]markanderson993[/eluser]
Awesome! I'll give that a try.

Thanks a bunch