View Full Version : Hiding variables from client

06-21-2010, 06:37 PM
I'm new to web programming, and so I may be going about this all wrong but this is what I'm trying to do.

I'm creating an interface to access my google base, I can do that part without much trouble but to access the server you need to request a session token. This token has to be sent to the server along with your query. I use JS on the main page which calls a php script that requests the key, then calls the server for a full list of items which is then passed back to the javascript in JSON format. The user then selects a field from the option box and i need to requery the server for the updated list. But to do this i need to resend the session token, and this is where I'm having trouble.

I need to save this token, but im not sure the best way to go about this. I can pass it back to the JS portion and save it as a variable that i can then pass to the PHP script that queries the server, but im worried the key may contain private information about my log in information. Is there a way to make this token variable hidden in the JS so that the client could not see it? Or am i way off base and the client can't view any of the variables anyways?

If someone has a suggestion for me that would be much appreciated.

06-21-2010, 08:09 PM
anything in JavaScript can be looked at, anytime (from the User Agent that currently executes it). you could of course use a TLS/SSL session (has got nothing to do with javascript) to make sure, no-one can look at your HTTP transfers (including the sensitive information).

06-21-2010, 09:09 PM
Okay thanks!
I'm going to look at keeping my php session open, or if there's a way like in java to create and instance of the script and keep the token as a "private final" type variable.

06-22-2010, 12:29 AM
keep in mind that JavaScript is a prototype-based programming language. the concept of classes (with its final, private, protected, public, static, abstract keywords) doesn’t apply here.

and a decent developer tool lets you explore a script and its state as it runs.

06-22-2010, 04:24 AM
You could encrypt the date in your php, than decrypt it when it gets sent back to the server.