tags:

views:

374

answers:

6
+2  Q: 

Stop Direct Page Calls to Ajax Pages

Hi All,

Is there a "clever" way of stopping direct page calls in ASP.NET? (Page functionality, not the page itself)

By clever, I mean not having to add in hashes between pages to stop AJAX pages being called directly. In a nutshell, this is stopping users from accessing the Ajax pages without it coming from one of your websites pages in a legitimate way. I understand that nothing is impossible to break, I am simply interested in seeing what other interesting methods there are.

If not, is there any way that one could do it without using sessions/cookies?

Thanks,

Kyle

+2  A: 

You can check the Request headers to see if the call is initiated by AJAX Usually, you should find that x-requested-with has the value XMLHttpRequest. Or in the case of ASP.NET AJAX, check to see if ScriptMAnager.IsInAsyncPostBack == true. However, I'm not sure about preventing the request in the first place.

MikeB  2009-11-26 08:40:46
Would you not be able to spoof that header?
Kyle Rozendo  2009-11-26 09:43:59
Yes. http://stackoverflow.com/questions/623299/can-the-x-requested-with-http-header-be-spoofed
MikeB  2009-11-26 11:28:29
Thought so, hehe. Thanks for the answer though.
Kyle Rozendo  2009-11-26 11:34:54
+1 For the initial answer, I accepted catchdave's for the example code.
Kyle Rozendo  2009-12-08 05:06:12
A: 

I don't think there is a way to do it without using a session. Even if you use an Http header, it is trivial for someone to create a request with the exact same headers.

Using session with ASP.NET Ajax requests is easy. You may run into some problems, like session expiration, but you should be able to find a solution.

With sessions you will be able to guarantee that only logged-in users can access the Ajax services. When servicing an Ajax request simply test that there is a valid session associated with it. Of course a logged-in user will be able to access the service directly. There is nothing you can do to avoid this.

If you are concerned that a logged-in user may try to contact the service directly in order to steal data, you can add a time limit to the service. For example do not allow the users to access the service more often than one minute at a time (or whatever rate else is needed for the application to work properly).

See what Google and Amazon are doing for their web services. They allow you to contact them directly (even providing APIs to do this), but they impose limits on how many requests you can make.

kgiannakakis  2009-12-01 09:18:59
Alright, but then do you have a good method for doing it with a session?
Kyle Rozendo  2009-12-02 09:03:34
See my edited answer.
kgiannakakis  2009-12-02 09:36:28
A: 

Have you looked into header authentication? If you only want your app to be able to make ajax calls to certain pages, you can require authentication for those pages...not sure if that helps you or not?

Basic Access Authentication

or the more secure

Digest Access Authentication

Another option would be to append some sort of identifier to your URL query string in your application before requesting the page, and have some sort of authentication method on the server side.

jaywon  2009-12-01 09:26:11
A: 

I do this in PHP by declaring a variable in a file that's included everywhere, and then check if that variable is set in the ajax call file.

This way, you can't directly call the file ever because that variable will never have been defined.

iddqd  2009-12-02 20:32:11
I think you have mis-understood the question.What you suggested stops someone from directly browsing directly to a file that is visible via HTTP but that which you only want processed when included (as an aside - a better method is simply to put "included" files outside the scope of the web server all together).The question here is asking how to stop someone from looking at a page via the standard method in a browser - as opposed to - requesting the same URL via an AJAX call (ie: XmlHttpRequest, etc).
catchdave  2009-12-07 06:10:46
That's what I'm talking about too. You cannot view a file that checks for a variable that was declared in an included file directly. Try it. Make an index, declare variable. Include another file. Check for that variable's existence in the file you included.
iddqd  2009-12-07 15:08:52
Of course not (assuming register_globals is off). But in that case, that same file would not be able to be called directly via AJAX either (which is what the questioner wants to be able to do).
catchdave  2009-12-07 22:07:18
+4  A: 

Have a look at this question: http://stackoverflow.com/questions/216173/differentiating-between-an-ajax-call-browser-request

The best answer from the above question is to check for a requested-by or custom header.

Ultimately, your web server is receiving requests (including headers) of what the client sends you - all data that can be spoofed. If a user is determined, then any request can look like an AJAX request.

I can't think of an elegant method to prevent this (there are inelegant and probably non-perfect methods whereby you provide a hash of some sort of request counter between ajax and non-ajax requests).

Can I ask why your application is so sensitive to "ajax" pages being called directly? Could you design around this?

catchdave  2009-12-07 06:26:40
Thanks catchdave. The reason why I accepted this over MikeB's is for showing exactly how this is done. Seems there are not very many ways of stopping people from doing this, which I suspected, but this is at least another deterrent.
Kyle Rozendo  2009-12-08 05:05:25
A: 

This is the "non-trivial" way, hence it's not too elegant.

The only real idea I can think of is to keep track of every link. (as in everything does a postback and then a response.redirect). In this way you could keep a static List<> or something of IP addresses(and possible browser ID and such) that say which pages are allowed to be accessed at the moment from that visitor.. along with a time out for them and such to keep them from going straight to a page 3 days from now.

I recommend rethinking your design to be sure that this is really needed though. And also note IPs and such can be spoofed.

Also if you follow this route be sure to read up about when static variables get disposed and such. You wouldn't want one of those annoying "your session has expired" messages when they have been using the site for 10 minutes.

Earlz  2009-12-07 22:12:33

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps