Wrox Programmer Forums
Go Back   Wrox Programmer Forums > Web Programming > JavaScript > Ajax
Ajax the combination of XHTML, CSS, DOM, XML, XSLT, XMLHttpRequest, and JavaScript
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Ajax section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old October 30th, 2006, 10:37 PM
Registered User
Join Date: Oct 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ajax Security Question!


I'm new to Ajax and I have a question about how security is handled.

Consider the following example: I have a page with a username and password which is authenticated against the database. Instead of refreshing the page every time user credentials fail, I made a function that checks the credentials, use Ajax to call the function, and act accordingly.

My question is, what prevents anybody from looking at the Javascript of Ajax that calls the authentication function and not make use of that function remotely to crack username/password combinations?

How can the function check where the call is coming from to ensure it's from my application?

Obviously, with the old way the user can go to the page and try username/password combinations, but there were checks to make sure the page wasn't being called from somebody else's application.

I don't see how this is protected against in Ajax.


Old November 2nd, 2006, 05:46 AM
Friend of Wrox
Join Date: Jul 2003
Posts: 142
Thanks: 0
Thanked 2 Times in 2 Posts

Simple, there isn't any inbuilt security. If you think of Ajax as just a different way of doing HTTP Request and getting a HTTP Response. In, say , a php application, there's no inherent, in-built security. You would have to implement it with the PHP Auth package, or simple HTTP authentication, and this holds true for Ajax. I'm dealing with precisely the problem you describe at the moment, and the way I intend to deal with it is through timeouts - e.g. first request for login is instant, then there's a 1 second delay, then 2 seconds, then 4, then 8, then 16, then 32, and we cap the delay at this level. A brute force attack is much less likely to succeed given that a authentication request can only be made every 32 seconds.

Another way would be through lockouts - e.g. three tries and then the username is locked. But this all goes back to what I said initially, securing an Ajax app is similar to securing a php or asp.net app - they provide tools to help you do it, but it is still up to you to implement a security architecture

Similar Threads
Thread Thread Starter Forum Replies Last Post
Access security question kuznickic Access 2 August 4th, 2008 01:22 PM
Ajax question stu9820 Ajax 5 June 17th, 2008 01:25 PM
Question - ASP + Ajax cancer10 Classic ASP Databases 2 July 30th, 2007 03:29 PM
Security question Grafixx01 Access 5 April 18th, 2007 11:24 AM
Security Question jezywrap ASP.NET 1.0 and 1.1 Professional 4 December 13th, 2006 10:39 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.