I use wcf-hosted NancyFx with forms authorization with redirection enabled (DisableRedirect = false).
I would like in case of unsuccesfull authorization attempt handle it and signal to user (show some tooltip that user name or password is wrong). How can I do it with FormAuth?
Another approach is to use Ajax post request, but because of redirection I can't get 401 code. If I turn off redirection it works (I can get 401 in ajax post request). But I want to use redirection facilities in my application...
I never work before with FormAuth, so what is my options here?
Thanks in advance!
Well, actually there were obvious solution based on parsing returned querystring (smth like login?error=true&username=a, as in examples for Nancy forms auth app). On document load parse this query string and show tooltip... Another question whether it is standart (good) practise?..
Related
Hi guys I want that I have a post method in spring controller
But user hits url request directly from a browser then user gets nothing.
So how can I redirect this to login page in spring mvc.
As per your description
But user hits url request directly from a browser then user gets
nothing
When user hitting a URLfrom browser, it should be a GET request but you said you have POST request there. That's why nothing happens(should give
GET not supported
in browser though).
POST method requests server to process submitted form data.
To achieve that, you have to declare a GET method for that URL in your controller side and return your resource(view) to the user and then user will get that after hitting that URL. After that you can perform POST request from user side(i.e. form data submission).
In one line: Your POST request will be GET in controller side if you want to just what you want.
Please let me know if I can assist more.
probably you should look for security instead of look for "redirects", you can cool at this question for reference :
link to similar question
It is NOT possible to make POST request from the browser.
You can find some other approaches fire-http-post-requests-with-firefox-or-chrome
I've searched previous answers but can't seem to find the exact answer.
I am using ajax to call a controller action. This controller action does some other stuff then calls a public function of my user controller:
Request::factory("/user/savepoints/".$new_total);
How can i secure my action_savepoints in the User controller from people just entering it as a URL?
I currently have this at the top of my function but it doesn't do what im looking for.
if( ! $this->request->is_initial() ):
HTTP::redirect('/error');
endif;
Thanks for your help.
Either use an HTTP POST request, which can't be done just by entering a URL. (Though it can spoofed, or done via a form)
Or:
How about generating a kind of token on the server, getting it to the ajax code somehow, then passing it back in the ajax request.
Obviously they could still forge the request manually if they pull the token out of your page, but you issued them the token in the first place.
You could make the token single-use, time limited, or user-specific.
Make sure it contains some kind of checksum with a server secret to prevent people building their own tokens.
Do you want to prevent any unauthorized users to run the script or do you want to make sure that the script only can be run via AJAX calls?
For the first, you can just check if the user is logged in. The AJAX request uses the same session as the ordinary requests.
if (Auth::instance()->logged_in())
For the second you need to check the HTTP headers if it's an AJAX call. But note that this is not a safe way to do it as HTTP headers can be altered by the client and can not be trusteed.
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
{
//This is an ajax call
}
Unfortunately, there's no bullet proof or safe way to detect an AJAX request other than this.
I am trying to use ajax in my spring mvc application. When I try a url (post/get) which is secured and needs authentication, the response is the html of login page as it is redirected behind the scenes.
What is the best approach to overcome this issue?
First, I would avoid displaying Ajax links to URLs needing authentication if the user is not authenticated, if possible.
If not always possible, your login page could be returned with a specific HTTP response code, (or any other way to distinguish it from a normal response) and your JavaScript callback could replace the entire body of the current page with the HTML received if this response code is received. Most AJAX libraries come with a way to define a handler to all the AJAX requests. Such a global handler could be used here.
The login page could also be adapted to only return a status code in case of an AJAX request, and the JavaScript code would then redirect to the login page (without using AJAX) if this status code is received.
I may not have explained the issue well. So I did not get the right response. However the response from JB Nizet contained some other points. So thank you.
I could solve the issue after coming back to this issue after some time, so
I posted about this on my blog.
I hope it is useful.
As the title may possibly suggest, I'm wondering what's more secure for AJAX requests: POST or GET. I can't work out which is better because they're both hidden from the user due to the URI being sent via. AJAX, not in the URL bar.
Thanks,
James
Neither add any security against either man-in-the-middle attacks or the end user. Both can be intercepted and tampered with using Wireshark, Firebug, or other tools.
If you want security against interception, you can use HTTPS. That does not prevent the user from sending requests manually, though.
It's almost trivially easy to inspect the contents of both post and get values. Your best bet, if you do not want the user to be able to get at that data directly, is to encrypt it, and / or send it over ssl.
There are no security differences between POST and GET used in AJAX. They are not hidden from the user - a simple tool like Fiddler would allow the user to see those requests. the payload in both is in plain text (ie, as your script created it). The only difference is that POST payload is in the body of the request and GET payload is in the query params of the URL.
They are not hidden from the user at all; install FireBug on FireFox and they are able to see the URI. Your choice of using GET and POST depends on the data sent; and if you going by REST standards, depending on the operation.
Treat an AJAX call as you would with information coming from the client through a form and through the address bar : Verify and sanctify.
They can view the page source and see where your target URL is and what parameters are being passed either way.
Im using jQuery validate plugin and every form has multiple validation levels.
level is by validate plugin
level is:
data is submitted to site
I get a reply
if everything is ok -> JS redirects to url
if there is an error, it shows warnings
Now I wonder, is it safe to send login info via ajax? I know that with addons like firebug, I am also able to get all POST parameters with normal submit. But can somebody else interfere with ajax login request and steal precious data?
is it safe to send login info via ajax
You do use HTTPS, do you? If you do it's as safe as form submit.
Are you issuing requests over HTTPS?
If you mean someone else on the network, then see the earlier comments about HTTPs.
If you mean "can someone inject something into a page and steal the data", the answer is yes. As you've observed, the user can install plugins which could do this; it's also possible that your page could be inadvertently be the target of injection via cross-site scripting or some other flaw.