0

Say I have a simple AJAX request as follows: 

$.ajax({
    type: 'POST',
    data: {
        someParam: 'some param value'
    }
})

I would like to know when this request is sent. I thought of two ways:

  1. My first thought was to just add another param with the value of Date.now(). But that can be easily changed by someone using something like fiddler.
  2. Another way would be to encrypt the value of Date.now() and send the encrypted value as a param, and then decode it on the server side.
  3. Would adding this value in the header provide an extra layer of security somehow?

So is there any way to accurately and securely track this? Or at the very least, is there some way I can track this and make it difficult for someone fabricate a value?

halfer
  • 19,824
  • 17
  • 99
  • 186
gjvatsalya
  • 1,129
  • 13
  • 29
  • 2
    Instead of trying to track the sent date on the client, you may want to track the reception date on the server. – Frédéric Hamidi Dec 01 '16 at 15:54
  • Your web server can be setup to log all calls made to it. – Rory McCrossan Dec 01 '16 at 15:55
  • @FrédéricHamidi I am already doing that, but I would like to track the time it takes for a request to get to the server as well. This is the reason I would like to add a Date param, but I'm not sure if this possible in a secure fashion. – gjvatsalya Dec 01 '16 at 15:56
  • 2
    There probably isn't much value tracking the client date. You have no guarantee that the client's clock is correct. Even well behaving clients will have clocks which drift out of sync. Given the data isn't reliable it becomes meaningless. I'd assume the time you're attempting to track is going to be typically in the 100ms mark, a clock which is skewed by 5 mins will obliterate the value of the data. – ilivewithian Dec 01 '16 at 16:00
  • @ilivewithian Well, ideally it would be in the 100ms mark. But if you throttle the network or if you are in an area where connection is limited, it can easily reach quite a few seconds. These seconds can be pretty critical. But if you're saying the client clock is incorrect, then it would defeat the purpose of me doing this. – gjvatsalya Dec 01 '16 at 17:28
  • you could measure round trip times, but that would require an extra round trip to measure the latency. – Thomas F Dec 01 '16 at 17:41
  • @ThomasF How would I do that? Is it just taking note when the response from the server was sent and then taking note when I get request to the server? – gjvatsalya Dec 01 '16 at 17:48
  • I think that it would be easiest to have the client (js) do the actually timing, fore example, see [this question](http://stackoverflow.com/questions/503199/how-to-determine-latency-of-a-remote-server-through-the-browser). Basically, start a timer, do a server call and when it ends, stop the timer. You can send the time with the next request. (This could also be unsecure, so not really answering the question.) – Thomas F Dec 01 '16 at 19:35
  • The only reason to secure something is when there is a risk if that information was made public, or otherwise known by an attacker. Of what use would spoofing the value of `Date.now` be to a would-be attacker? – Heretic Monkey May 06 '19 at 17:13

0 Answers0