Solved

How to avoid information thieves for web services by using AJAX?

Posted on 2009-05-20
6
224 Views
Last Modified: 2012-05-07
I have some AJAX calls made to acquire some information, for example,

MakeAJAXRequest'(getStockPrice.php?symbol=YHOO');

In this case, it's very easy for someone to find out the access of  "http://xxx.com/getStockPrice.php?symbol=yyyy" to obtain certain information, which will increase my server's bandwidth used.

Even using HTTP POST, it's still very easy to find out how to access it. On the other hand, to encrypt the parameter sent or the content, it needs some Javascript code to encrypt/decrypt it, which can be learned easily to crack it if someone is determined.

Any way to protect "getStockPrice.php" from others except my own webpages?

Thanks.

0
Comment
Question by:appstar
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:pellep
ID: 24430093
Here's one way:
1: Create a random sequence of characters when the user first enters your website (when the session is created) and store the sequence in the session
2: Append that sequence of characters to the Ajax URL (in the generated HTML)
3: Compare the sequence to the one stored in the users session when processing the Ajax request
4: If the sequences dont match, send back some error-code (like FORBIDDEN)
0
 

Author Comment

by:appstar
ID: 24430370
Hi pellep,

When you say "Create a random sequence", you mean it is created in the backend? But then how is it sent to the frontend which appends it to the AJAX URL? I mean can this sequence be peaked as well?

Beisdes, I never know when the user is logged out if he does not click on logout to abandon the sequence number. And how about the case that requires no user login?

Thanks.
0
 
LVL 4

Expert Comment

by:pellep
ID: 24436243
You likely have some php that generates the page with the Ajax-call on. My thinking is that you add some code to that php-page to generate a random sequence of characters. You then

1: Store that sequence in the session
2: Add the sequence as a parameter on the Ajax URL (http://xxx.com/getStockPrice.php?symbol=yyyy&seq=<your generated sequence>)

When the page makes the ajax-call, you compare the seq paramter (in getStockPrice.php) with what you previously stored in the session, if they match you know that the Ajax-call came from "your" page and not somewhere outside.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:appstar
ID: 25718636
I don't think I get your solution. First, I don't make Ajax call on a php page but from a javascript in the frontend. Secondly, what if there is no user session used?
0
 
LVL 4

Accepted Solution

by:
pellep earned 125 total points
ID: 25727821
Hey there, it's certainly been a while :)

Anyway, to return to your problem: the idea is to create som form of "gateway" if you will to prevent clients from accessing your stock-price URL without first accessing your site.

One way of doing this, like I proposed earlier, is to have php-page from which the AJAX call is made create some random character-sequence and store it in the session. I can't remember exaktly how to create a session in php, but I seem to recall it's something like start_session().

When the php-page then constructs the URL to be used by the AJAX-call on the client (the URL, not the call itself!I), append the random sequence as a parameter to the URL. On the page/servlet that handles the stock-price URL, compare the character-sequence sent in as a parameter with the sequence stored in the session (when making an AJAX call from the page, that request will share the same session as the original page making the AJAX call). If the sequences match, then you know that whoever is calling the stock-price URL is doing it from the page containing the AJAX call.
0
 

Author Closing Comment

by:appstar
ID: 31583399
Not exactly what I am looking for
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about why website design really matters in today's demanding market.
An enjoyable and seamless user experience can go a long way on an eCommerce site. While a cohesive layout and engaging copy play roles in creating a positive user experience, some sites neglect aspects that seem marginal but in actuality prove very …
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now