I have a web application where I have used http-handlers and jQuery for AJAX call.
Now the problem is user can type the same URL in the browser which is generated by the jQuery and operation is being performed.
Can I send some token with the query string and then on server side I can look for the right token before performing any operation.
Hope that I have written my problem correctly.
-
1Do you authentication for your website ? If yes, then http handler would be invoked untill and unless the user is authenticated.Anand– Anand2012-07-31 11:31:38 +00:00Commented Jul 31, 2012 at 11:31
-
Inside the function, which you are calling in ajax call check for the login session. So now even though user will directly use the url it will validate whether the user logged in or not.Narendra– Narendra2012-07-31 11:35:36 +00:00Commented Jul 31, 2012 at 11:35
-
I have used form authentication and my handler are implementing IRequiresSessionState.शेखर– शेखर2012-07-31 11:37:57 +00:00Commented Jul 31, 2012 at 11:37
-
my problem is that after log in user can call the handler from the browser another tab. How can I avoid that.शेखर– शेखर2012-07-31 11:39:11 +00:00Commented Jul 31, 2012 at 11:39
-
can I implement captcha like think?शेखर– शेखर2012-07-31 11:47:39 +00:00Commented Jul 31, 2012 at 11:47
Add a comment
|
2 Answers
You may need to handle this in a similar fashion to how it can be handled in the MVC framework. Here is a similar post that describes a potential solution.
Comments
The above technique is called
Cross Site Request Forgery
Risk Impact
An attacker can hijack logged in users session for performing malicious transactions.
Recommendations
It is recommended implementing Page token (a random token as an additional parameter in the request) for all transaction pages. This token should be randomly generated and should be unique for each user.
The suggested URL are
http://www.owasp.org/index.php/CSRF_Guard
http://www.cgisecurity.com/csrf-faq.html
var cg = new CSRFGuard();
cg.SetupCSRFTokenNameAndValue();
SessionManager.CustomerConfig.CsrfTokenName = cg.CsrfTokenName;
SessionManager.CustomerConfig.CsrfTokenValue = cg.CsrfTokenValue;
Thanks a lot.