Re: Preventing use of remote method by other sites

[Tony Bentley]

I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.

Is it ajax?

    <cffunction name="isAjax" access="private" returntype="boolean"
output="false">
        <!---
        all of the user management requests are going to come via ajax
within the domain.
        if a request is not from this site and not ajax, abort the request
        run this check on any of the remote methods
        --->
        <cfscript>
            requestHeaders = getHTTPRequestData().headers;
            if(not StructKeyExists(requestHeaders, "X-Requested-With")){
                 return false;
            }
            else if(StructFind(requestHeaders,"X-Requested-With") neq
"XMLHttpRequest"){
                return false;
            }
            else{
                return true;
            }
        </cfscript>
    </cffunction>


Called on init:

        <cfparam name="url.method" default="">
        <cfscript>
            accessRemote = false;
            cfcname = getmetadata(this);
            for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
                fname = cfcname.FUNCTIONS[i];
                if(fname.name eq url.method && fname.access eq "remote"){
                    accessRemote = true;
                    break;
                }
            }
            if(not isAjax() and not accessRemote){
                abort();//this is a simple cfabort function for MX
            }
        </cfscript>



On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews <li...@commadelimited.com>wrote:

>
> I have a method that I'm exposing remotely. We'll be using AJAX calls to
> insert usability stats about a new application. I'm working through the code
> when I realize that since it's remote access, anyone from any site could
> post to it and skew our results.
>
> I'm wondering what's the best way to prevent access to this URL from any
> other site, or code. My first thought was to compare the current URL, dev1
> for example, to the URL the request was made from, or perhaps the IP
> address. But I'm not sure how to get that information.
>
> Anyone have ideas?
>
>
>
> andy matthews
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336268
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm