I have googled many times to find the best security for ajax get request, but didnt find anything.
Had anyone body implement any security in get ajax request in MVC3 like passing some randam number or guid in ajax header and check it in global.axcx with session or database.
Related
I am having a hard time making CSRF Guard to work on Ajax Requests in my Grails Application. I already added the Javascript Servlet in the page and followed instructions in their website. The problem is that it kept on saying that I have missing token. Aside from that, our Ajax request is not inside a form which I would assume that CSRF would look for forms and auto-inject the token for Ajax POST requests. I just merely get each parameters and pass it as data in my Ajax POST request.
You should try with the pattern outlined by the author of this question Grails - Is there a recommended way of dealing with CSRF attacks in AJAX forms?
I am trying using facebook from Scrapy.
I can log in successfully. However, I can't get the posts on facebook because the posts comes from ajax calls.
I tried using firebug and check the XHR. I got this:
I tried to check the response of all those request but none of them contains the actual data of the posts.
What is the ajax request that get the posts on facebook?
Thanks in advance
Don't use the AJAX calls from your browser. Those are encrypted since Facebook uses HTTPS connections. Focus on using their API to make the calls you need to get the data you want. That's the entire purpose of their Graph API.
I am trying to use ajax in my spring mvc application. When I try a url (post/get) which is secured and needs authentication, the response is the html of login page as it is redirected behind the scenes.
What is the best approach to overcome this issue?
First, I would avoid displaying Ajax links to URLs needing authentication if the user is not authenticated, if possible.
If not always possible, your login page could be returned with a specific HTTP response code, (or any other way to distinguish it from a normal response) and your JavaScript callback could replace the entire body of the current page with the HTML received if this response code is received. Most AJAX libraries come with a way to define a handler to all the AJAX requests. Such a global handler could be used here.
The login page could also be adapted to only return a status code in case of an AJAX request, and the JavaScript code would then redirect to the login page (without using AJAX) if this status code is received.
I may not have explained the issue well. So I did not get the right response. However the response from JB Nizet contained some other points. So thank you.
I could solve the issue after coming back to this issue after some time, so
I posted about this on my blog.
I hope it is useful.
We have an MVC app that uses controllers for AJAX endpoints, and FormsAuth for authentication.
I've run into an interesting scenario where a GET request will behave differently than a POST request (both for an unauthorized user).
In this particular case, our custom ControllerFactory runs the following code trying to access this controller:
FormsAuthentication.SignOut();
requestContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl);
throw new UnauthorizedAccessException();
(I realize that redirecting inside an AJAX request makes no sense, but bear with me).
When I do a GET request (AJAX) to this controller, the client receives a 401 - Unauthorized exception, which I can trap on the client side and redirect the user to the login page.
When I do a POST request (AJAX) to this controller, I'm getting a 302, and my request got redirected to my login page.
Why do the GET and POST requests act differently?
So I took Darin's advice and did some refactoring, and I no longer run into this problem. :) I discovered the root of my problem, which was that we had a attribute for MVC error handling that did not have the IExceptionFilter attribute, so some stuff was happening in non-determinate orders. Thanks for the helpful kick in the butt. ;)
I am using cybersource as the payment gateway for my application. The payment information is sent correctly if we post the form without using an Ajax request.
Now we need to implement this by using an Ajax request. I tried passing the information to cybersource but got a javascript error "access denied" when I tried to submit the form using Ajax post request.
When I tried to debug this issue the line "mypostrequest.open("POST", "theUrl", true);" was giving the error.
Is there any reason why a site might block a post request through Ajax and not block a request from the usual form post ?
Thanks in advance.
There should be no difference, from the perspective of the CyberSource server, between a post via AJAX or a normal form submit, so the server would not have a basis for deciding to block a post via AJAX. The "access denied" problem might be due to the fields and values you included in your post. Make sure all required fields are included.