Software development, photography, jokes, ....

Sites by me

 
tas-logoTransportation Administration System
snoezelkussen-logo-kleinstSnoezelen Pillows for Dementia
ikzoekeenbegeleider-logoBegeleiders voor gehandicapten
Laat uw hond het jaarlijkse vuurwerk overwinnen
Betuweroute en Kunst
logo 50x50Hey Vos! Je eigen naam@vos.net emailadres?
Kunst in huis? Nicole Karrèr maakt echt bijzonder mooie dingen
nettylogo2Kunst in huis? Netty Franssen maakt ook bijzonder mooie dingen
Professionele opvang bij Gastouderbureau
Kind-Zijn
Salarisadministratie en belastingadvies bij
De Zaak Loont
Zutphense Bomenstichting

Hosting Favorites

 
ANU Internet Services
XelMedia .internet services
register.com
GoDaddy.com

Blogroll

 
Bomenstichting
MacFreak
Google Translate
PHP
MySQL
jQuery
jQuery UI
codecademy
YourHead Stacks API
Favicon Generator. For real.
Check HTTPS problems



Categories

Archives
 Dec 2019 (1)
 Nov 2019 (1)
 Oct 2019 (2)
 Aug 2019 (2)
 Jun 2019 (2)
 May 2019 (2)
 Apr 2019 (5)
 Feb 2019 (6)
 Dec 2018 (2)
 Nov 2018 (1)
 Oct 2018 (1)
 Sep 2018 (5)
 Aug 2018 (1)
 Jul 2018 (6)
 Jun 2018 (4)
 May 2018 (2)
 Apr 2018 (3)
 Mar 2018 (10)
 Feb 2018 (8)
 Jan 2018 (2)
 Dec 2017 (3)
 Nov 2017 (4)
 Oct 2017 (3)
 Sep 2017 (2)
 Aug 2017 (2)
 Jul 2017 (1)
 Jun 2017 (2)
 May 2017 (4)
 Apr 2017 (4)
 Mar 2017 (2)
 Feb 2017 (2)
 Jan 2017 (5)
 Dec 2016 (5)
 Nov 2016 (5)
 Oct 2016 (2)
 Sep 2016 (4)
 Aug 2016 (2)
 Jul 2016 (4)
 Jun 2016 (2)
 May 2016 (3)
 Apr 2016 (6)
 Mar 2016 (3)
 Feb 2016 (1)
 Jan 2016 (3)
 Dec 2015 (3)
 Nov 2015 (4)
 Oct 2015 (4)
 Sep 2015 (3)
 Aug 2015 (3)
 Jul 2015 (1)
 Jun 2015 (1)
 May 2015 (3)
 Apr 2015 (2)
 Feb 2015 (3)
 Jan 2015 (3)
 Dec 2014 (4)
 Nov 2014 (2)
 Oct 2014 (5)
 Sep 2014 (4)
 Aug 2014 (5)
 Jul 2014 (2)
 Jun 2014 (2)
 May 2014 (5)
 Apr 2014 (2)
 Feb 2014 (1)
 Jan 2014 (2)
 Dec 2013 (2)
 Nov 2013 (3)
 Oct 2013 (3)
 Sep 2013 (2)
 Aug 2013 (1)
 Jul 2013 (3)
 Jun 2013 (2)
 May 2013 (3)
 Apr 2013 (3)
 Mar 2013 (6)
 Feb 2013 (3)
 Jan 2013 (4)
 Dec 2012 (5)
 Nov 2012 (3)
 Oct 2012 (3)
 Sep 2012 (6)
 Aug 2012 (4)
 Jun 2012 (5)
 May 2012 (7)
 Apr 2012 (4)
 Mar 2012 (1)
 Feb 2012 (5)
 Jan 2012 (5)
 Dec 2011 (5)
 Nov 2011 (7)
 Oct 2011 (4)
 Sep 2011 (6)
 Aug 2011 (3)
 Jul 2011 (7)
 Jun 2011 (9)
 May 2011 (3)
 Apr 2011 (8)
 Mar 2011 (7)
 Feb 2011 (2)
 Jan 2011 (3)
 Dec 2010 (6)
 Nov 2010 (10)
 Oct 2010 (4)
 Sep 2010 (3)
 Aug 2010 (10)
 Jul 2010 (10)
 Jun 2010 (1)
 May 2010 (1)
 Apr 2010 (2)
 Mar 2010 (2)
 Feb 2010 (5)
 Jan 2010 (1)
 Dec 2009 (6)
 Nov 2009 (6)
 Oct 2009 (4)
 Sep 2009 (2)
 Jul 2009 (1)

Marc's Place


 

Powered by the Blogspot.stack

Foto: Cannon Fire in Gorinchem

 Permalink
Cannon Fire in Gorinchem

Cannon Fire in Gorinchem

Just right - the sun as a blast of the old cannon.
 Comments

Foto: Still Life

 Permalink
Still Life of an Evening@Home

Still Life of an Evening@Home



iPhone-apps experiments (tilt-shift, borders, coloring filters, vignettes).
 Comments

Bronkhorster bieren

 Permalink
Een paar weken geleden vond ik in de supermarkt in Hummelo een setje lokaal gebrouwen bieren: Bronckhorster, gebrouwen door Brouwerij Rodenburg in Rha. Wel prijzig, dus een aanrader voor af en toe en speciale gelegenheden zoals Ome Joop's speciale gelegenheden: als het regent en als het niet regent!

bronkhorster-bieren
 Comments

Restrict Lasso AJAX-file calls to the intended web page

 Permalink
Suppose you have a nice setup where a page interacts with the server via AJAX-calls and executes a Lasso file on the server to get some data. You don't want this file to be called directly via the URL-bar in a web browser, or via other self-made web pages by others who try to access it via a copy of your page. Anybody can see which AJAX-files your page is calling, so for some it is always a challenge to execute them outside the normal webpage to see what data will come up. Might be of interest! So you want to prevent that, somehow.

There is a Lasso-tag called referrer_url, which returns a string containing the URL that requested your AJAX-page. If you look into this string for a domain name or a path that only you have, you can block execution if the requestor is not coming from your server. When a page is called directly in the browser, the referrer_url is always an empty string. Which is logical, since the page was not referred to by another page.

Suppose I have a page mypage.html with a jQuery auto-complete implementation in it. This auto-complete can of course be used by more than one page and you do not want people to try it out in other ways.

...
...
<input type="text" id="inp1" size="25"><span id="desc1"></span>
...
...
<script>
$(document).ready(function() {
   $("#inp1").autocomplete({minLength:2, source: "ajax.lasso?p1=a&p2=b", select: function(e,u) { $("#inp1").val(u.item.value); $("#desc1").html((u.item.label).replace("(" + u.item.value + ")", "")); return false; } });
});
</script>


Simple protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
...
...
/if;
]


Better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
...
...
/if;
]


So this gives you some protection from just try something-users. Add a login-system, which restricts the number of users that might want to hack your pages - you can trace their actions on your site. In that case, add a check if the user is logged in. You must execute your complete login-sequence in your AJAX-pages too, as with 'normal' pages, since the xhttprequest is a normal HTTP request and thus the browser sends the same HTTP-headers and cookies, etc.. to your AJAX-page.

More protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


Even better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


But, as with everything web-related, nothing can be trusted.
 
 Comments
© 1997- Marc Vos (and others)   -   Privacy Statement   -    Contact Me