views:

439

answers:

3

I'm writing a web app that will be making requests via AJAX and would like to lock down those calls. After a little research, I am considering using some form of random token (string) to be passed back along with the request (GUID?). Here's the important parts of my algorithm:

  1. Assign a token to a JavaScript variable (generated server-side).
  2. Also, store that token in a DB and give it a valid time period (i.e. 10 minutes).
  3. If the token has still not been used and is within it's valid time window, allow the call.
  4. Return requested information if valid, otherwise, log the request and ignore it.

With an eye toward security, does this make sense? For the token, would a GUID work - should it be something else? Is there a good way to encrypt variables in the request?

EDIT:

I understand that these AJAX requests wouldn't be truly "secure" but I would like to add basic security in the sense that I would like to prevent others from using the service I intend to write. This random token would be a basic, front-line defense against abusive calls. The data that would be requested (and even submitted to generate such data) would is HIGHLY unlikely to be repeated.

Maybe I'm wrong in using a GUID... how about a randomly generated string (token)?

A: 

"Securing" is kind of a vague term. What exactly are you trying to accomplish? Using a GUID is a perfectly fine way to prevent duplicate submissions of the same request, but that is all.

If the information being passed between the client and server is truly sensitive, you should do it over HTTPS. That's really the only answer as far as securing the actual communication is concerned.

Edit: To answer your question regarding whether a GUID is the "right" way - there is no right way to do what you're suggesting. Using any token, whether it's a GUID or something of your own creation, will not have any effect other than preventing duplicate submissions of the same request. That's it.

Rex M
I'm not just talking about having a unique identifier for each request here. I'm talking a token such as a temporary validation key that will allow the request or not.
Aaron
A: 

It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.

If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.

A GUID used in the way that you're suggesting is really just reinventing a session id cookie.

Bryan Kyle
+2  A: 

If you are doing this to trust code that you sent to the client browser, then change direction. You really don't want to trust user input, which includes calls from js that you sent to the browser. The logic on the server should be made so that nothing wrong can be done through there. That said, asp.net uses a signed field, you might want to go that way if absolutely necessary.

Expanding a bit: Asp.net tamper-proofs the viewstate, which is sent as a html hidden field (depending on the configuration). I am sure there are better links as reference, but at least it is mentioned on this one: http://msdn.microsoft.com/en-us/library/ms998288.aspx

validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:

  • SHA1–SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.

A link for the .net class for that algorithm http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1.hmacsha1.aspx.

Update 2: For tamper-proofing you want to sign the data (not encrypt it). Note that when using cryptography in general, you should really avoid using a custom implementation or algorithm. Regarding the steps, I would stick to:

  • Assign a token to a JavaScript variable (generated server-side). You include info to identify the request and the exact date&time where it was issued. The signature will validate the server side application issued the data.
  • Identify double submits if appropriate.

That said, the reason asp.net validates the viewstate by default, is because devs rely on info coming in there as being handled only by the application when they shouldn't. The same probably applies for your scenario, don't rely on this mechanism. If you want to evaluate whether someone can do something use authentication+authorization. If you want to know the ajax call is sending only valid options, validate them. Don't expose an API at granularity level than the one where you can appropriately authorize the actions. This mechanism is just an extra measure, in case something slipped, not a real protection.

Ps. with the HMACSHA1 above, you would instantiate it with a fixed key

eglasius
My hunch is you're talking about exactly what I'm after. Can you elaborate and possibly include some links? Thanks for the help!
Aaron
Using my own library I can encrypt strings, and at the heart of it this is exactly what I'm talking about. You understand what I mean... Do you think that my algo is worth pursing? If so, what do you suggest as an algo to generate the random sequence, or what other options do you suggest?
Aaron
@Aaron added an update, this is a scenario to sign info not encrypt, also I assume you aren't doing custom cryptography in your library. The info to identify the request doesn't has to be random, as it is being signed.
eglasius