I'm building a model asset website, model data format is Javascript, users can use GET request to load model in browser. Because each model was paid, I want to encrypt model request in https, my intention is users can't see the model request's response string in Fiddler or Firebug. Is it possible to make it via https or any suggestion?
e.g. this is a model link, http://www.mywebsite.com/model/sofa.js, normally, in the response, users can see the detailed content in their local browser.
Thanks
Related
I followed the example on http://docs.brightcove.com/en/video-cloud/media/references/reference.html#Video. The response gets shown in an iframe. However, I would like to be able to get the JSON response in order to store the data (i.e., Brightcove video ID) in my own database. I tried using AJAX post but Brightcove doesn't seem to accept post requests from a different origin. Is there a way to simply get the response data without displaying it in an iframe or in a separate window?
You can't get the response data in javascript since the API response does not include CORS headers. You'd need to do this in server-side code, which also has the advantage of not exposing your API token to the browser.
I have a resource (an html web page, but it could be anything else like json/xml describing a book) and retrieve it with a GET request:
http://127.0.0.1/welcome
This resource is in Japanese (because kawai desu). Now, I do a GET request on this resource, asking server for another language:
http://127.0.0.1/welcome?lang=en
So the server responses with the English version of the resource. But from now on, since I called ?lang=en, I want to set the default language of the user in a cookie. So server adds a cookie to its response:
Cookie: language=en
Browser now have the language=en cookie. Then, I ask for the resource without GET parameters and the server delivers the English version because the browser sent the Cookie:language=en request header:
http://127.0.0.1/welcome
Returns the English version.
These queries look like retrieving (a resource with a cookie), idempotents (doesn't change a bit when send several times) and safe (server-modification less) queries to me: am I right to use GET requests even if they involve cookies?
Two GET requests have the same URI http://127.0.0.1/welcome
but different results: how does caching (browser and proxy) handle
this?
GET response for http://127.0.0.1/welcome?lang=en could be cached too: will (proxy/CDN, browser) cached responses include the language=en cookie (so user language for the website switches to en)?
I am attempting to scrape the source data of a particular URL using ruby. To begin, I am using Net::http.new to create the http object and then using http.post to pass along the appropriate login data. This works as intended and responds with the appropriate session cookies.
After logging in, and adding the session cookie data to the headers, I then try to access the particular page that I want to scrape. The server responds with a 302 request to an aspx URL on a different subdomain, accompanied with a query string ie. sub.domain.com/path/blah.aspx?md5=jdj456bnn. When I try to load that subdomain using the same technique as I used before, I am met with a user not authorized 302. does anyone know the proper way to load that relocation, or what I could be missing here?
It's very possible a session cookie is being set during the redirect, but your code isn't maintaining it.
"net-http-cheat-sheet" might show how to deal with it, or, look into using Mechanize, which will manage them for you using a cookie jar.
How does browser send back cookie to the server during post requests. How is this different than the form data that is sent during a post ?
Also are the values of cookies for a particular domain automatically sent back to the domain for all its subsequent requests ?
Thanks,
Murtaza
There is no different between how cookies are sent for GET and POST requests.
Form data is data such as fields from an HTML Form, eg. name, username, file, etc...
Any cookies sent back in a response from a domain will be sent back to the server in subsequent requests. This is true in web browsers at least, if you are doing this in code, you might have to write additional code to handle cookies.
This should work for AJAX calls made by your browser as well as full pages. Every request, be it full pages, images or AJAX calls will have the Cookies attached if they are going to an appropriate domain and path.
These primers on cookies and HTTP POST would be useful:
http://en.wikipedia.org/wiki/HTTP_cookie
http://en.wikipedia.org/wiki/POST_(HTTP)
I have a website that is currently using https for secure login and transactions. You can't navigate to the to the main site unless you login.
I have had a request from a partner who have asked if they can seamlessly navigate to our site from their own web application, without logging in. There site is also using https.
I've set up a "PartnerLoginPage.aspx" page, and allowed them to POST html form values into this page (they have the correct user login details). I then authenticate them based on the posted values and redirect them to the main site. They don't need to login then, I've already authenticated them and it works perfectly.
My biggest concern is that this is not a secure way of authenticating the user. If you POST html form values into a https page is the data still encrypted? Just out of interest, if their site was not an http site (it is) would the data still be encrypted?
eg THEIR HTTPS-> FORM POST VALUES -> OUR HTTPS -> ARE FORM POST VALUES DATA ENCRYTPED?
and
THEIR HTTP (note: no 's') ->FORM POST VALUES -> OUR HTTPS -> ARE FORM POST VALUES ENCRTYPED?
Thanks for any help,
Stuart
Assuming all keys are valid, of course...
If the request is made an https page, then the request is encrypted (meaning the POST values, which are sent via the request, are encrypted, regardless of destination).
If the request is made from a non https page to an https page, the request is not encrypted, but the response would be, so the post variables are NOT encrypted (but the value returned would be).
HTTPS essentially sets up whether the server/page that is talking is using encryption or not, so http -> https = non-encrypted request, encrypted response, https -> http = encrypted-request, non-encrypted response.
Of course, there are levels of security that can be set at the script level, but I don't think your answer is worried about that.
Quick Post Script
Why don't you give the partner sites a service account like "username :partners, pw: sheswithme" or some such? You could use cURL to set up the cookie and pass the server variables and have them point their form to a script that makes the request instead of having their users having semi-direct access to your script.