karanba
asked on
Ajax Security
Hi,
I am using Ajax in an web site. On the server side I use an aspx page (c# net 2.0) that get the Ajax request and do job then send xml response back to caller. Everything is good. But I will put user login with it and some important functions. Then some security issues must be placed in this action. First of al,l how can I prevent that all messages goes as plain text over network. I do not want to use https protocol if there is any other solutions. And by exposing Ajax all my api becomes available.
For example I have checkLogin function on the server side. If any one generate the same xml as like my javascript request function and make xmlhttp connection to the my aspx page(serv.aspx) then could get busy my server and could try to find password for a known user name. Like this I have some function for only use of member that authenticate.
For know I generate an key(16 char length) on server side and past it to javascript on the page load by writing it directly. Like...
/* client.aspx */
<script language="javascript">
var session_key = <%=Session["SessionKey"]%>
</script>
....
And embed this key into xml message. When the message comes to serv.aspx I check it if its is same with the Session["SessionKey"]. By this I hope no one send me illegal xml requests outside the page(client.aspx). But I do not know for encryption of data that goes and come from server. If it can be good solution at lest xml message body could be encrypt with the above security key and then decrypt on serv.aspx. If it, I need an algorithm for encrypt the data with key, written on javascript and the reverse algorithm to
decrypt that data with the same key.
With those ı wrote about please sent me if there is a gap on security with this solution. If it is okey, I need the code for javascript and c# that encrypt/decrypt data.
thanks.
I am using Ajax in an web site. On the server side I use an aspx page (c# net 2.0) that get the Ajax request and do job then send xml response back to caller. Everything is good. But I will put user login with it and some important functions. Then some security issues must be placed in this action. First of al,l how can I prevent that all messages goes as plain text over network. I do not want to use https protocol if there is any other solutions. And by exposing Ajax all my api becomes available.
For example I have checkLogin function on the server side. If any one generate the same xml as like my javascript request function and make xmlhttp connection to the my aspx page(serv.aspx) then could get busy my server and could try to find password for a known user name. Like this I have some function for only use of member that authenticate.
For know I generate an key(16 char length) on server side and past it to javascript on the page load by writing it directly. Like...
/* client.aspx */
<script language="javascript">
var session_key = <%=Session["SessionKey"]%>
</script>
....
And embed this key into xml message. When the message comes to serv.aspx I check it if its is same with the Session["SessionKey"]. By this I hope no one send me illegal xml requests outside the page(client.aspx). But I do not know for encryption of data that goes and come from server. If it can be good solution at lest xml message body could be encrypt with the above security key and then decrypt on serv.aspx. If it, I need an algorithm for encrypt the data with key, written on javascript and the reverse algorithm to
decrypt that data with the same key.
With those ı wrote about please sent me if there is a gap on security with this solution. If it is okey, I need the code for javascript and c# that encrypt/decrypt data.
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.