Solved

Ajax Security

Posted on 2007-03-28
2
215 Views
Last Modified: 2013-11-07
Hi,

I am using Ajax in an web site. On the server side I use an aspx page (c# net 2.0) that get the Ajax request and do job then send xml response back to caller. Everything is good. But I will put user login with it and some important functions. Then some security issues must be placed in this action. First of al,l how can I prevent that all messages goes as plain text over network. I do not want to use https protocol if there is any other solutions. And by exposing Ajax all my api becomes available.

For example I have checkLogin function on the server side. If any one generate the same xml as like my javascript request function and make xmlhttp connection to the my aspx page(serv.aspx) then could get busy my server and could try to find password for a known user name. Like this I have some function for only use of member that authenticate.

For know I generate an key(16 char length) on server side  and past it to javascript on the page load by writing it directly. Like...


/*  client.aspx */
<script language="javascript">
var session_key = <%=Session["SessionKey"]%>
</script>
....

And embed this key into xml message. When the message comes to serv.aspx I check it if its is same with the Session["SessionKey"]. By this I hope no one send me illegal  xml requests outside the page(client.aspx). But I do not know for encryption of data that goes and come from server. If it can be good solution  at lest xml message body could be encrypt with the above security key and then decrypt on serv.aspx. If it, I need an algorithm for encrypt the data with key, written on javascript and the reverse algorithm to  
decrypt that data with the same key.

With those &#305; wrote about please sent me if there is a gap on security with this solution. If it is okey, I need the code for javascript and c# that encrypt/decrypt data.

thanks.



 
0
Comment
Question by:karanba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 2

Accepted Solution

by:
alfredwhang earned 500 total points
ID: 18808702
you should not expose your internal session variable that way!!! session variable is internal to your app and .NET encrypts that in the cookie for you and pass that to the browser.  there is no overhead required for AJAX...just procees as you nomally would like asp.net pages.  just remember to set authentication section up.  

You can think of AJAX like is like an iframe...to the server there is no way of determining wether the request was comming from the browser or from the AJAX.
0
 
LVL 2

Assisted Solution

by:alfredwhang
alfredwhang earned 500 total points
ID: 18808797
btw http://www.ohdave.com/rsa/ has javascript to do rsa encryption for you...if you still want to go that route (like i have done it before)  i have some usable code for you but it is not really not worth the trouble.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question