In some sensitive apps, like payment systems, code is set up as such: when user sends info to server, for example:
{money_amount: 5, receiver_id: 2}
It's also required to send over a hashed string, like:
hash_by_client = make_hash_from_string("money" + money_amount + "receiver" + receiver_id)
The purpose: so that when server receives the data, it independently, but using the same algorithm, computes another hashed string (hash_by_sever
) , and compare hash_by_sever
with hash_by_client
. If they are equal, then server is sure the POSTed data is not modified, and can be trusted to proceed.
Question: if we are using SSL/TSL/https connections, is this setup still necessary?
Not necessary. The information sent will already be encrypted, so adding a hash doesn't improve on that.
As mentioned in a comment a hash might be good to catch "if the sender is attempting to hack." True, but note that your hash_by_client() function is (most likely) executing in javascript which the potential hacker can easily access.
So the hash merely provides a false sense of security.