Software development, photography, jokes, ....


Sites by me

 
tas-logoTransportation Administration System
snoezelkussen-logo-kleinstSnoezelkussens voor verstandelijk gehandicapten
ikzoekeenbegeleider-logoBegeleiders voor gehandicapten
Laat uw hond het jaarlijkse vuurwerk overwinnen
Betuweroute en Kunst
logo 50x50Hey Vos! Je eigen naam@vos.net emailadres?
Kunst in huis? Nicole Karrèr maakt echt bijzonder mooie dingen
nettylogo2Kunst in huis? Netty Franssen maakt ook bijzonder mooie dingen
Professionele opvang bij Gastouderbureau
Kind-Zijn
Salarisadministratie en belastingadvies bij
De Zaak Loont
Zutphense Bomenstichting

Hosting Favorites

 
ANU Internet Services
XelMedia .internet Services
register.com

Blogroll

 
Bomenstichting
LassoSoft
MacFreak
Quality that computes
The Economy of Motion
Wheel 2.0
IntrAktv



Website Hosting bij Xel Media


Marc's Place


 

Restrict Lasso AJAX-file calls to the intended web page

Suppose you have a nice setup where a page interacts with the server via AJAX-calls and executes a Lasso file on the server to get some data. You don't want this file to be called directly via the URL-bar in a web browser, or via other self-made web pages by others who try to access it via a copy of your page. Anybody can see which AJAX-files your page is calling, so for some it is always a challenge to execute them outside the normal webpage to see what data will come up. Might be of interest! So you want to prevent that, somehow.

There is a Lasso-tag called referrer_url, which returns a string containing the URL that requested your AJAX-page. If you look into this string for a domain name or a path that only you have, you can block execution if the requestor is not coming from your server. When a page is called directly in the browser, the referrer_url is always an empty string. Which is logical, since the page was not referred to by another page.

Suppose I have a page mypage.html with a jQuery auto-complete implementation in it. This auto-complete can of course be used by more than one page and you do not want people to try it out in other ways.

...
...
<input type="text" id="inp1" size="25"><span id="desc1"></span>
...
...
<script>
$(document).ready(function() {
   $("#inp1").autocomplete({minLength:2, source: "ajax.lasso?p1=a&p2=b", select: function(e,u) { $("#inp1").val(u.item.value); $("#desc1").html((u.item.label).replace("(" + u.item.value + ")", "")); return false; } });
});
</script>


Simple protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
...
...
/if;
]


Better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
...
...
/if;
]


So this gives you some protection from just try something-users. Add a login-system, which restricts the number of users that might want to hack your pages - you can trace their actions on your site. In that case, add a check if the user is logged in. You must execute your complete login-sequence in your AJAX-pages too, as with 'normal' pages, since the xhttprequest is a normal HTTP request and thus the browser sends the same HTTP-headers and cookies, etc.. to your AJAX-page.

More protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


Even better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


But, as with everything web-related, nothing can be trusted.
 

See Older Posts...
© 1997- Marc Vos (and others) Contact Me