Level 51
Validate ALL your users inputs.
1 like
Nov 14, 2022
6
Level 1
livewire - Protect variables from client-side manipulation?
Hello there!
I'm new to using livewire. I was wondering how some developers are going about securing variables from client-side manipulation. I've made a rudimentary login page that requires a token to be entered from a different program within a short time frame.
The issue I'm running into is that since the variables used to display the token, username, timeout period on the screen can be manipulated on the client side, I'm able to modify these and login in as a different user or modify the timeout period.
As far as I can tell, livewire doesn't support private/protected variables that can be stored for the duration of the session. I like the concept of livewire, but I can't figure out a way to secure sensitive data without it being manipulated on the client side. (Preferably a read-only type variable would suffice.) The documentation mentions that requests have a checksum, but does this need to be explicitly enabled somewhere? I've been able to manipulate the 'public' variables on my login screen using the livewire chrome extension.
Level 50
Hey @nixa
There is also another way to protect variables from being manipulated in Livewire. You can simply pass them to the view directly without declaring them as $public this way user will have no way of manipulating them.
Of course validation is also a must as @mohamedtammam already replied.
Hope it helps!
Level 1
I do have a few local variables; however, don't those variable only exist in the scope of the function call and are destroyed upon execution completion?
I can't do:
class HelloWorld extends Component
{
public $message = 'Hello World!';
$privateValue = 'SuperSecret';
...
}
The $privateValue variable doesn't persist between calls does it? It would be reset back to 'SuperSecret' for each call?
I need to keep track of variables for the full state of the livewire component. The only alternative I can think of is creating a new database table and writing the values in the table. On the public view, reference a unique value that can read from the database table and spit those values out to the view without using public variables.
Level 50
@nixa Ok the next 2 solutions I can think of are:
-
Use public property but encrypt it and then decrypt it with your application key: https://laravel.com/docs/master/encryption I actually only thought of it now and this might be the nicest solution tbh.
-
Use Session to store those values between requests https://laravel.com/docs/master/session#storing-data and then resolve them on next request.
-
Found also this one https://github.com/archtechx/livewire-access
I would also suggest for you to actually try to hack your own application and see what you can get your hands on this way. This will also give you and idea of whats available for tempering.
Level 1
Awesome. Thanks for the suggestions! I'll give them a try to see which one I like best. I was thinking something similar to the Session idea.
Right now I'm testing storing the variables in a JSON format in a DB table with a 'hash' reference that would be public facing. Then, I could query the DB based on the hash value to pull/set the vaiues from the JSON data. Downside is that it does involve a lot more DB queries. My web app isn't going to be used on a large scale so it might not be a huge deal, but it is an inefficiency going that method.
Level 122
Please or to participate in this conversation.