I don't see the problem. The problem might be the notion that AJAX is more secure. AJAX is no different than a regular POST, other than the same-domain policy (which - I agree, is a tidy bit more secure, but only that much, since, as you demonstrated, it's easy to override it). You should consider you AJAX pages as a secondary API to your page. Assume a dedicated user will have no problem figuring out you mechanism (it is in the code after all). Secure your AJAX pages the same way you would any other page - I really can't see how this is different than any other page security - escape you input, try to identify brute-forces etc.
On Sat, Oct 2, 2010 at 12:58 AM, hairbo <[email protected]> wrote: > I'm not 100% sure how to phrase this, so apologies if this post gets > wordy or confusing... > > Is there any standard way to ensure that data received on an AJAX post > page does, in fact, come to that page via an AJAX request? I could > imagine somebody coming to a site that handles login via AJAX, popping > open Firebug, figuring out what the AJAX post page is for the login > request, and then navigating directly to that page in a browser, > throwing params in the URL, just to see what might happen. > > Without being able to articulate exactly why, I'd say this sounds like > a "bad" thing. Is there any sort of a token one passes from an AJAX > post in JS back to the server for authentication? > > Does my question even make sense? > > Thanks in advance. -- Arieh Glazer אריה גלזר 052-5348-561 5561
