?
Solved

How to avoid information thieves for web services by using AJAX?

Posted on 2009-05-20
6
Medium Priority
?
229 Views
Last Modified: 2012-05-07
I have some AJAX calls made to acquire some information, for example,

MakeAJAXRequest'(getStockPrice.php?symbol=YHOO');

In this case, it's very easy for someone to find out the access of  "http://xxx.com/getStockPrice.php?symbol=yyyy" to obtain certain information, which will increase my server's bandwidth used.

Even using HTTP POST, it's still very easy to find out how to access it. On the other hand, to encrypt the parameter sent or the content, it needs some Javascript code to encrypt/decrypt it, which can be learned easily to crack it if someone is determined.

Any way to protect "getStockPrice.php" from others except my own webpages?

Thanks.

0
Comment
Question by:appstar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:pellep
ID: 24430093
Here's one way:
1: Create a random sequence of characters when the user first enters your website (when the session is created) and store the sequence in the session
2: Append that sequence of characters to the Ajax URL (in the generated HTML)
3: Compare the sequence to the one stored in the users session when processing the Ajax request
4: If the sequences dont match, send back some error-code (like FORBIDDEN)
0
 

Author Comment

by:appstar
ID: 24430370
Hi pellep,

When you say "Create a random sequence", you mean it is created in the backend? But then how is it sent to the frontend which appends it to the AJAX URL? I mean can this sequence be peaked as well?

Beisdes, I never know when the user is logged out if he does not click on logout to abandon the sequence number. And how about the case that requires no user login?

Thanks.
0
 
LVL 4

Expert Comment

by:pellep
ID: 24436243
You likely have some php that generates the page with the Ajax-call on. My thinking is that you add some code to that php-page to generate a random sequence of characters. You then

1: Store that sequence in the session
2: Add the sequence as a parameter on the Ajax URL (http://xxx.com/getStockPrice.php?symbol=yyyy&seq=<your generated sequence>)

When the page makes the ajax-call, you compare the seq paramter (in getStockPrice.php) with what you previously stored in the session, if they match you know that the Ajax-call came from "your" page and not somewhere outside.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 

Author Comment

by:appstar
ID: 25718636
I don't think I get your solution. First, I don't make Ajax call on a php page but from a javascript in the frontend. Secondly, what if there is no user session used?
0
 
LVL 4

Accepted Solution

by:
pellep earned 375 total points
ID: 25727821
Hey there, it's certainly been a while :)

Anyway, to return to your problem: the idea is to create som form of "gateway" if you will to prevent clients from accessing your stock-price URL without first accessing your site.

One way of doing this, like I proposed earlier, is to have php-page from which the AJAX call is made create some random character-sequence and store it in the session. I can't remember exaktly how to create a session in php, but I seem to recall it's something like start_session().

When the php-page then constructs the URL to be used by the AJAX-call on the client (the URL, not the call itself!I), append the random sequence as a parameter to the URL. On the page/servlet that handles the stock-price URL, compare the character-sequence sent in as a parameter with the sequence stored in the session (when making an AJAX call from the page, that request will share the same session as the original page making the AJAX call). If the sequences match, then you know that whoever is calling the stock-price URL is doing it from the page containing the AJAX call.
0
 

Author Closing Comment

by:appstar
ID: 31583399
Not exactly what I am looking for
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question