On Jan 12, 2006, at 1:39 PM, Karl Guertin wrote:
On 1/12/06, mario ruggier <[EMAIL PROTECTED]> wrote:
I was looking for a simple way to process callbacks such as
loadJSONDoc(url) that only originate from my loaded pages on the
client. First thing I though of was to just check that the server part
of the HTTP_REFERER for the json callback is the same as that of the
site serving the pages (and the service callbacks).

HTTP_REFERER is easy to fake.

First off, I'd like to recommend that you don't block illegitimate
requests. Someone has a reason to make those requests. If your service
is open enough not to require authentication then it's open, otherwise
it's authenticated.

This sounds like reasonable advice, and I will leave the serive url's openly accessible for now, until i understand better what is best to do. In fact, the first one to be affecetd by protecting these is the developer, as then such a url cannot be just loaded freely to see what it returns... ;-(

Anyhow, such url's may be made to require aurthentication, but not always. An example is a registration form, that does callbacks for unique username values... the user is not even registered, so cannot be authenticated anyway.

If you really want to make sure that requests are legitimate, you have
to use some sort of authentication scheme. A simple one that doesn't
require sign in is a secret token system. This doesn't need to be
complex, a hash of the client IP + salt passed as a get parameter
would do the trick. When the request comes in, you strip the
parameter, validate and pass it on.

Using a temporary token is very reasonable, and this is functionality is actually provided out of the box by the framework I am using in this case, qp <http://www.mems-exchange.org/software/qp/>.

If someone cares enough to make queries to your service, tricks like
HTTP_REFERER won't stop them.

Guess so. I was just considering such as a compromise, to get most of them with least effort. But maybe the real ones to want to defend oneself from are the ones that such a scheme will not get.

mario

Reply via email to