Solved

How to avoid information thieves for web services by using AJAX?

Posted on 2009-05-20
6
226 Views
Last Modified: 2012-05-07
I have some AJAX calls made to acquire some information, for example,

MakeAJAXRequest'(getStockPrice.php?symbol=YHOO');

In this case, it's very easy for someone to find out the access of  "http://xxx.com/getStockPrice.php?symbol=yyyy" to obtain certain information, which will increase my server's bandwidth used.

Even using HTTP POST, it's still very easy to find out how to access it. On the other hand, to encrypt the parameter sent or the content, it needs some Javascript code to encrypt/decrypt it, which can be learned easily to crack it if someone is determined.

Any way to protect "getStockPrice.php" from others except my own webpages?

Thanks.

0
Comment
Question by:appstar
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:pellep
ID: 24430093
Here's one way:
1: Create a random sequence of characters when the user first enters your website (when the session is created) and store the sequence in the session
2: Append that sequence of characters to the Ajax URL (in the generated HTML)
3: Compare the sequence to the one stored in the users session when processing the Ajax request
4: If the sequences dont match, send back some error-code (like FORBIDDEN)
0
 

Author Comment

by:appstar
ID: 24430370
Hi pellep,

When you say "Create a random sequence", you mean it is created in the backend? But then how is it sent to the frontend which appends it to the AJAX URL? I mean can this sequence be peaked as well?

Beisdes, I never know when the user is logged out if he does not click on logout to abandon the sequence number. And how about the case that requires no user login?

Thanks.
0
 
LVL 4

Expert Comment

by:pellep
ID: 24436243
You likely have some php that generates the page with the Ajax-call on. My thinking is that you add some code to that php-page to generate a random sequence of characters. You then

1: Store that sequence in the session
2: Add the sequence as a parameter on the Ajax URL (http://xxx.com/getStockPrice.php?symbol=yyyy&seq=<your generated sequence>)

When the page makes the ajax-call, you compare the seq paramter (in getStockPrice.php) with what you previously stored in the session, if they match you know that the Ajax-call came from "your" page and not somewhere outside.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:appstar
ID: 25718636
I don't think I get your solution. First, I don't make Ajax call on a php page but from a javascript in the frontend. Secondly, what if there is no user session used?
0
 
LVL 4

Accepted Solution

by:
pellep earned 125 total points
ID: 25727821
Hey there, it's certainly been a while :)

Anyway, to return to your problem: the idea is to create som form of "gateway" if you will to prevent clients from accessing your stock-price URL without first accessing your site.

One way of doing this, like I proposed earlier, is to have php-page from which the AJAX call is made create some random character-sequence and store it in the session. I can't remember exaktly how to create a session in php, but I seem to recall it's something like start_session().

When the php-page then constructs the URL to be used by the AJAX-call on the client (the URL, not the call itself!I), append the random sequence as a parameter to the URL. On the page/servlet that handles the stock-price URL, compare the character-sequence sent in as a parameter with the sequence stored in the session (when making an AJAX call from the page, that request will share the same session as the original page making the AJAX call). If the sequences match, then you know that whoever is calling the stock-price URL is doing it from the page containing the AJAX call.
0
 

Author Closing Comment

by:appstar
ID: 31583399
Not exactly what I am looking for
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access RV042 GUI / Browser Issues 25 51
How to use NFS (Network File System) in Asp.net mvc 5? 4 45
Why "Mobile First"? 5 20
Programming Language for Wordpress 7 42
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question