#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0

    How to ensure javascript calls aren't spoofed?


    Hi,

    I have a web service that must service JQuery ajax clients. The physical JavaScript files that communicates with my web service is created and hosted by me. So the scenario is much like some embedded Google script or similar that many websites use.

    My trouble is: How can i ensure that the client request comes from a valid customer. I can't rely on stuff that can be spoofed (e.g. http-referer).

    Thanks

    --
    Werner
  2. #2
  3. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    A login is the only certain method.

    Comments on this post

    • web_loone08 agrees : Yeah, or maybe... a generated keycode, based on domain/ip; like Google uses with some of their APIs.
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  4. #3
  5. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    Originally Posted by web_loone08
    web_loone08 agrees: Yeah, or maybe... a generated keycode, based on domain/ip; like Google uses with some of their APIs.
    Exactly. "Authentication" would have been a better phrase rather than "Login."
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0
    Could you elaborate on this? Would you have a service that creates tokens/keycodes based on the request domain/ip?

    If yes, how would that prevent me from sniffing your traffic (get your domain/ip). Contact the same service while spoofing headers with your data and Thus obtain the same access as you?

    It could be secured using SSL but isn't there another solution?
  8. #5
  9. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,009
    Rep Power
    2791
    Why would you not want to use SSL? Any level and/or type of authentication is open to exploitation if you do not wrap it in a secure layer.

    You are speaking of spoofing. What type of data are you intending to protect?
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0
    Originally Posted by Winters
    Why would you not want to use SSL? Any level and/or type of authentication is open to exploitation if you do not wrap it in a secure layer.

    You are speaking of spoofing. What type of data are you intending to protect?
    As I write, I need to ensure "that the client request comes from a valid customer".

    It is not that I don't want to use SSL, but I'm trying to determine if there are any real alternatives. Google seems to have some API-token logic that doesn't require SSL. And while I understand that the token-logic can deal with the "man-in-the-middle" problem, I can't figure out how to protect the token in Javascript.

    --
    Werner

IMN logo majestic logo threadwatch logo seochat tools logo