My bot is running in an iframe, but I want to hide the secret.
Is it possible to use the iframe and hide the secret from the users?
See option one here but instead of doing the request to get the token on the client side you could do it on the server side when the page loads then pass it through to the client side. That way you only expose the temporary token to anyone inspecting your iframe code.
Using ASP.NET this could be achieved inside the Page_Load event writing to a hidden field if you’re using webforms, Index/Get method of the controller writing to a bound property and hidden field if you’re using mvc, or in the OnGet method and set on the model of a Razor page.
There are various ways you could do the HTTP request - using the built in WebRequest or HttpClient classes, or using a third party library such as RestSharp.
Related
I am confused about client side and server side validation in ASP.net.
I know that client side validations validate on the client side, and asp.net validation controls are server side controls. But if I am applying it on any server side control like <asp:textbox> and apply RequiredFieldValidator, it validates immediately like a client side control. All other asp validation controls validate immediately without post back to server.
So how does it work without posting back to the server?
Even though the ASP.NET server theoretically validate on the server, they will also validate on the client. From Microsoft's documentation:
If the user is working with a browser that supports dynamic HTML
(DHTML), ASP.NET validation controls can perform validation using
client script. Because the controls can provide immediate feedback
without a round trip to the server, the user experience with the page
is enhanced.
Under most circumstances, you do not have to make any
changes to your page or to the validation controls to use client-side
validation. The controls automatically detect if the browser supports
DHTML and perform their checking accordingly. Client-side validation
uses the same error display mechanism as server-side validation.
If you use HTMLHelper in the views it will automatically insert javascript validation from e.g. the DataAnnotation of the model. Things like Required, MaxLength etc. are checked on the client-side (and on the server-side again).
I have a system which uses Jquery AJAX calls to an .ASMX web service for INTERNAL and STATELESS use.
For example, after pressing a button, a Jquery call is launched to insert a new user).
Now, the problem is, that the Jquery AJAX call is dynamically inserted by the user. The user can decide what code of Javascript to put, so he may call a AddUser() function in the web service, or do something else. Then, that piece of code is inserted dynamically and the button will add all the Javascript that the user wrote into the HTML content.
In the case the user decides to call the Jquery and specifically adds a code to call the AddUser() function in the WS, how can I do it securely? How can I assure that this AJAX request is coming from the same domain?
I understand that every HTTP Request header can be manipulated, so how can I assure that the AJAX call is coming from the same site?
I remind you, the purpose of that web service is for internal uses of the system - so I don't want that an external user will read the JS code and copy it an add users as much as he wants!
I don't want to use tokens or identification. It is a stateless request and I just want to add a user but to have control of who is making the call.
I will be happy to get any suggestion. Thank you in advance!
In my opinion you can't. You either add some kind of authentication (if you have one on the site you may use the same authentication) or render a token on the page which is sent with the AJAX request. Of course in both cases you add some form of state but in my opinion the requirement to originate the request from the same site is a requirement to track state.
I use MVC5 for a site where users have to login with custom credentials. I've changed the login procedure from the inital auto-generated code to a somewhat single page approach.
Users enter their credentials
these are sent via ajax to the controller
if the credentials are valid, a loading animation shows and the main page is being loaded via ajax
the controller that returns the main page is annotated with the [Authorize] attribute.
I wonder: is there something basic that speaks against such an approach?. The site I run does not have any top secret contents, but it should not have a backdoor just because I missed something basic here.
From what I could see, MVC5's auto-generated login procedure sents the credentials in plain text as well, just like the ajax post I use. The auto-generated login includes a RequestVerificationToken which I obmitted.
Thanks for any ideas!
Using AJAX to authenticate a user is a common approach. A couple things I would recommend:
Whenever you are sending credentials like a username/password combination it should always be done via SSL. Even after the user is authenticated all requests should be send over SSL to prevent a hacker from stealing the security token.
Make sure that there are is no UI code in your AJAX calls. AJAX is used for sending and retrieving data only. Your UI should be on the client using a framework such as Knockout, Backbone, or Angular. Even if you are not doing a full blown SPA (Single Page Application) and do not require one of those frameworks, select a client side templating framework like Mustache or Handlebars.
I'm working on an asp.net project based on asp.net AJAX but we get more and more client side calls using jquery ($.ajax) and get json or html return. I'm wondering what is the best way to handle these calls on the server side, in the same webform, or use a specific http handler, or even web service? can somebody share the experience or best practice?
thanks.
I'd recommend you an http handler. Normally it's the best and simplest option.
There is no problem on managing the ajax call using a page method (marked as WebMethod and static), the only drawback is that can be only be called from that page. The http handler is independent and can be called from any page.
The web service is normally suitable for calling third party API, I don't see that you need to create one for ajax calls on your own web site.
I'm using jquery ajax to fetch data from an asp.net webservice. I'm wondering how I can secure it and have it work with jquery ajax. The service is part of my web application and to access it you have to be logged in to the application. However I'd like to further secure it. For example a consultant looking up all their customers in an autocomplete box is good, but they can instead send in some other consultant's id. What's the best way to secure this?
I've looked at this article here http://msdn.microsoft.com/en-us/library/w67h0dw7%28VS.71,classic%29.aspx . However, I don't know how to make this work with jquery ajax. Any help would be appreciated.
As far as I understand you want to make sure that you know the identity of the person using your service. If the web service is part of your application this should not be a problem by using cookies (assuming the web service is on the same domain as the site). See this e-book for some ideas.
Otherwise you could hand out temporary identifiers to the logged in members of your site which would be used in the webservice calls - this way even if the identifier is stolen, it can only be used for a limited time.
I made it more secure by using encryption. I encrypt the consultant's id when passing it via ajax, and decrypt it on the server side. Obviously I do the encryption on server side and pass it to client when rendering the page. And then ajax makes the call using that encrypted id.