I have a system which uses Jquery AJAX calls to an .ASMX web service for INTERNAL and STATELESS use.
For example, after pressing a button, a Jquery call is launched to insert a new user).
Now, the problem is, that the Jquery AJAX call is dynamically inserted by the user. The user can decide what code of Javascript to put, so he may call a AddUser() function in the web service, or do something else. Then, that piece of code is inserted dynamically and the button will add all the Javascript that the user wrote into the HTML content.
In the case the user decides to call the Jquery and specifically adds a code to call the AddUser() function in the WS, how can I do it securely? How can I assure that this AJAX request is coming from the same domain?
I understand that every HTTP Request header can be manipulated, so how can I assure that the AJAX call is coming from the same site?
I remind you, the purpose of that web service is for internal uses of the system - so I don't want that an external user will read the JS code and copy it an add users as much as he wants!
I don't want to use tokens or identification. It is a stateless request and I just want to add a user but to have control of who is making the call.
I will be happy to get any suggestion. Thank you in advance!
In my opinion you can't. You either add some kind of authentication (if you have one on the site you may use the same authentication) or render a token on the page which is sent with the AJAX request. Of course in both cases you add some form of state but in my opinion the requirement to originate the request from the same site is a requirement to track state.
Related
I have an existing ASP.NET website with a login. The login procedure is not trivial, because of routing to different front ends on different servers based on which user logs in. There is also some communication/login going on to a classic ASP website.
Now I want to start to decouple the first step of the login procedure using a tiny Angular2 app. Basically this should just collect the user and password and leave the login validation etc. to the existing ASP.NET logic. So from my naive point of view, this is the same as filling out user and password on my existing ASP.NET page and clicking the submit button.
I know that I can make http requests using angular2 and have successfully done so calling SOAP based web services which are part of the login validation process.
I have the idea that I can somehow fake the http request which is executed when submitting the login form in the existing ASP.NET page. But as far as I understand it right now, even if I could make an http request to my login.aspx site the response I would get would sit in my Angular2 obervable as text whereas I would like to leave my Angular2 app and "simply use" that response.
I am not even sure what questions to ask ... but how do I do that?
What have I not considered?
Some options I have:
It would be possible to change parts of the existing ASP.NET page(s).
I think it would be OK to open a new browser tab in which the existing ASP.NET app would be displayed.
We need to use static method's to make Ajax calls.
I didn't really understand the whole picture, but I know that you can load an ASP.NET partial view from an Angular2, or even make an http call to an ASP.NET Controller to get your data.
So I don't really understand your problem there, since the question is not clear, but you could make an http call to an ASP.NET Controller that would manage calls to your different WebServices.
Some clarifications would be helpful for a more detailled answer.
I use MVC5 for a site where users have to login with custom credentials. I've changed the login procedure from the inital auto-generated code to a somewhat single page approach.
Users enter their credentials
these are sent via ajax to the controller
if the credentials are valid, a loading animation shows and the main page is being loaded via ajax
the controller that returns the main page is annotated with the [Authorize] attribute.
I wonder: is there something basic that speaks against such an approach?. The site I run does not have any top secret contents, but it should not have a backdoor just because I missed something basic here.
From what I could see, MVC5's auto-generated login procedure sents the credentials in plain text as well, just like the ajax post I use. The auto-generated login includes a RequestVerificationToken which I obmitted.
Thanks for any ideas!
Using AJAX to authenticate a user is a common approach. A couple things I would recommend:
Whenever you are sending credentials like a username/password combination it should always be done via SSL. Even after the user is authenticated all requests should be send over SSL to prevent a hacker from stealing the security token.
Make sure that there are is no UI code in your AJAX calls. AJAX is used for sending and retrieving data only. Your UI should be on the client using a framework such as Knockout, Backbone, or Angular. Even if you are not doing a full blown SPA (Single Page Application) and do not require one of those frameworks, select a client side templating framework like Mustache or Handlebars.
I develop SignalR (1.1.2) chat for our corporative site (ASP.NET) and I don't know how place it for almost all pages of site. I have the next questions:
Online/offline states of users change when users move on other page.
In my chat state setting performs on OnConnected/Ondisconnected callbacks in my Hub class and it call when users move on other page.
Should I initialize SignalR with $.connection.hub.start().done on ALL pages? May be are there workarounds?
What does cross-domain mean? I don't understand this definition.
What logic should I move in OnReconnected callback in my Hub class?
Thanks in advance.
Sounds like you are trying to use SignalR in the wrong way.
You are going to have to start the hub every time you change page unless your application is a single page application. E.g. All run via JavaScript on one page.
When you change page, you are effectively closing down the SignalR connection to the hub, then you will need to start it on the next page. This will raise the Disconnect event.
Each time you connect, your user will be given a new ConnectionID, so their online/offline status will change depending on how you are handling this.
The only work around would be to create a Single Page application.
Cross-Domain means that you are calling the SignalR methods on another URL from the client.
Within your OnReconnected callback you might want to just write some logic that notifys a user that they have been reconnected.
I'm working on an asp.net project based on asp.net AJAX but we get more and more client side calls using jquery ($.ajax) and get json or html return. I'm wondering what is the best way to handle these calls on the server side, in the same webform, or use a specific http handler, or even web service? can somebody share the experience or best practice?
thanks.
I'd recommend you an http handler. Normally it's the best and simplest option.
There is no problem on managing the ajax call using a page method (marked as WebMethod and static), the only drawback is that can be only be called from that page. The http handler is independent and can be called from any page.
The web service is normally suitable for calling third party API, I don't see that you need to create one for ajax calls on your own web site.
I'm using jquery ajax to fetch data from an asp.net webservice. I'm wondering how I can secure it and have it work with jquery ajax. The service is part of my web application and to access it you have to be logged in to the application. However I'd like to further secure it. For example a consultant looking up all their customers in an autocomplete box is good, but they can instead send in some other consultant's id. What's the best way to secure this?
I've looked at this article here http://msdn.microsoft.com/en-us/library/w67h0dw7%28VS.71,classic%29.aspx . However, I don't know how to make this work with jquery ajax. Any help would be appreciated.
As far as I understand you want to make sure that you know the identity of the person using your service. If the web service is part of your application this should not be a problem by using cookies (assuming the web service is on the same domain as the site). See this e-book for some ideas.
Otherwise you could hand out temporary identifiers to the logged in members of your site which would be used in the webservice calls - this way even if the identifier is stolen, it can only be used for a limited time.
I made it more secure by using encryption. I encrypt the consultant's id when passing it via ajax, and decrypt it on the server side. Obviously I do the encryption on server side and pass it to client when rendering the page. And then ajax makes the call using that encrypted id.