SitePoint Sponsor

User Tag List

Results 1 to 7 of 7

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    May 2008
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Ajax security concerns

    Hello all,

    I've been building a widget for a site of mine that is ajax powered. Everytime a user clicks, the requested data is returned. Very simple.

    My question is if someone were to clone my ajax request to the server.. they could easily just retrieve that data my script returns and use it in one of their own scripts, correct?

    If so, then how can i prevent this type of thing from happening? because even if i send and retrieve tokens with every request. That other persons script could just be coded to handle that as well.

    I'm baffled.

  2. #2
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Regular web pages are currently limited by the browser security model to only get data from the same hostname. for example, foo.com can only access stuff on foo.com and not bar.com.

  3. #3
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AlexanderZ View Post
    Regular web pages are currently limited by the browser security model to only get data from the same hostname. for example, foo.com can only access stuff on foo.com and not bar.com.
    That is so hackers can't target browsers (people who browse). So unless I have understood incorrectly that is quite irrelevant here.

    My question is if someone were to clone my ajax request to the server.. they could easily just retrieve that data my script returns and use it in one of their own scripts, correct?
    Yes.

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2008
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, that's reassuring!

    any other obvious precautions someone should take when developing?

    thanks for the help

  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the script is running on that person's computer, there is no way to prevent it from accessing the data in the request. If you want to prevent other people from accessing data meant only for a certain user, you should use some form of authentication, such as a session and IP check.

  6. #6

  7. #7
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AlexanderZ View Post
    If the script is running on that person's computer, there is no way to prevent it from accessing the data in the request. If you want to prevent other people from accessing data meant only for a certain user, you should use some form of authentication, such as a session and IP check.
    Yep.
    Quote Originally Posted by Raffles View Post
    True, but as I stated above, this doesn't really affect the OP's concerns.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •