[ITemplate]

Hi,

I have a web service that must service JQuery ajax clients. The physical JavaScript files that communicates with my web service is created and hosted by me. So the scenario is much like some embedded Google script or similar that many websites use.

My trouble is: How can i ensure that the client request comes from a valid customer. I can't rely on stuff that can be spoofed (e.g. http-referer).

Thanks

--
Werner

[Winters]

A login is the only certain method.

[Winters]

Originally Posted by web_loone08

web_loone08 agrees: Yeah, or maybe... a generated keycode, based on domain/ip; like Google uses with some of their APIs.

Exactly. "Authentication" would have been a better phrase rather than "Login."

[ITemplate]

Could you elaborate on this? Would you have a service that creates tokens/keycodes based on the request domain/ip?

If yes, how would that prevent me from sniffing your traffic (get your domain/ip). Contact the same service while spoofing headers with your data and Thus obtain the same access as you?

It could be secured using SSL but isn't there another solution?

[Winters]

Why would you not want to use SSL? Any level and/or type of authentication is open to exploitation if you do not wrap it in a secure layer.

You are speaking of spoofing. What type of data are you intending to protect?

[ITemplate]

Originally Posted by Winters

Why would you not want to use SSL? Any level and/or type of authentication is open to exploitation if you do not wrap it in a secure layer.

You are speaking of spoofing. What type of data are you intending to protect?

As I write, I need to ensure "that the client request comes from a valid customer".

It is not that I don't want to use SSL, but I'm trying to determine if there are any real alternatives. Google seems to have some API-token logic that doesn't require SSL. And while I understand that the token-logic can deal with the "man-in-the-middle" problem, I can't figure out how to protect the token in Javascript.

--
Werner