Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Web Programming > JavaScript > Ajax
Password Reminder
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Ajax the combination of XHTML, CSS, DOM, XML, XSLT, XMLHttpRequest, and JavaScript
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Ajax section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old October 30th, 2006, 10:37 PM
Registered User
Join Date: Oct 2006
Location: , , .
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ajax Security Question!


I'm new to Ajax and I have a question about how security is handled.

Consider the following example: I have a page with a username and password which is authenticated against the database. Instead of refreshing the page every time user credentials fail, I made a function that checks the credentials, use Ajax to call the function, and act accordingly.

My question is, what prevents anybody from looking at the Javascript of Ajax that calls the authentication function and not make use of that function remotely to crack username/password combinations?

How can the function check where the call is coming from to ensure it's from my application?

Obviously, with the old way the user can go to the page and try username/password combinations, but there were checks to make sure the page wasn't being called from somebody else's application.

I don't see how this is protected against in Ajax.


Reply With Quote
  #2 (permalink)  
Old November 2nd, 2006, 05:46 AM
Friend of Wrox
Join Date: Jul 2003
Location: York, , United Kingdom.
Posts: 142
Thanks: 0
Thanked 2 Times in 2 Posts

Simple, there isn't any inbuilt security. If you think of Ajax as just a different way of doing HTTP Request and getting a HTTP Response. In, say , a php application, there's no inherent, in-built security. You would have to implement it with the PHP Auth package, or simple HTTP authentication, and this holds true for Ajax. I'm dealing with precisely the problem you describe at the moment, and the way I intend to deal with it is through timeouts - e.g. first request for login is instant, then there's a 1 second delay, then 2 seconds, then 4, then 8, then 16, then 32, and we cap the delay at this level. A brute force attack is much less likely to succeed given that a authentication request can only be made every 32 seconds.

Another way would be through lockouts - e.g. three tries and then the username is locked. But this all goes back to what I said initially, securing an Ajax app is similar to securing a php or asp.net app - they provide tools to help you do it, but it is still up to you to implement a security architecture

Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Access security question kuznickic Access 2 August 4th, 2008 01:22 PM
Ajax question stu9820 Ajax 5 June 17th, 2008 01:25 PM
Question - ASP + Ajax cancer10 Classic ASP Databases 2 July 30th, 2007 03:29 PM
Security question Grafixx01 Access 5 April 18th, 2007 11:24 AM
Security Question jezywrap ASP.NET 1.0 and 1.1 Professional 4 December 13th, 2006 10:39 AM

All times are GMT -4. The time now is 01:46 PM.

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.