Page 1 of 1

Secure an AJAX request

Posted: Thu Nov 12, 2020 6:00 pm
by Otto
Hello,
This is how I secure an AJAX request. I am interested in your opinions.
Instead of session or cookies, we write into the server's memory.
---------------------------------------------------------------------------------------------------
On program start we write a UUID key into the memory of the server.

function Main ()
cUUID: = GenerateUUID ()
hb_setenv ("pwd", cUUID) // memory write
---------------------------------------------------------------------------------------------------
On AJAX request we send a string - encrypted with cUUID - containing seconds ().

code = {{hb_jsonencode (encrypedtime ())}};

ogrid = $ ('# example'). DataTable ({
"ajax": {
"url": "landingpage.prg",
"type": "POST",
data: {username: matchcode, password: code, action: cAction,

---------------------------------------------------------------------------------------------------

function encrypedtime ()
local cVar: = Crypt (ALLTRIM (str (Seconds ())), cUUID)

cvar: = HB_BASE64ENCODE (cVar)
logging ("HB_BASE64ENCODE" + cVar)
return (cvar)

---------------------------------------------------------------------------------------------------
Inside AJAX call we decrypt and check the time against the time passed. If there is more than 2 sec difference we answer with an error msg.

function main ()
..
local hPairs: = AP_PostPairs ()
local cUUID: = hb_Getenv ("pwd")

code: = hb_UrlDecode (hPairs ['password'])

code: = HB_BASE64DECODE (code)
logging ("HB_BASE64DECODE" + code)
code: = Crypt (code, cUUID)

nSecsLapsed: = seconds () - val (code)
logging ("Seconds" + STR (nSecsLapsed))


Though its not 100% but will stop most.

What do you mean?

Best regards,
Otto

Re: Secure an AJAX request

Posted: Thu Nov 12, 2020 6:58 pm
by Otto
Dear Antonio,
Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi.

I just noticed that hb_setenv() applies to the entire server. So I have to send an identifyer with the name.
But then how can I delete the entries.

I think it works better with MWRITE and MREAD.
The implementation is quite easy: MWrite( "pwd", "my password" ) // memory write ? MRead( "pwd" ) // memory read from other browser tab or another user: ? MRead( "pwd" ) There is also a new MErase( "pwd" ...
by Antonio Linares
Mon May 25, 2020 8:57 am
Forum: mod_harbour
In the meantime, I try with hb_seten()
I did some tests.
FOR I := 1 to 10000
// ? "pwd"+ALLTRIM( str( I ) )
hb_setenv( "pwd" + ALLTRIM( str( I ) ), cUUID ) // memory write
next
I do not face problems. And my web pages do not have that much traffic.

Can you please tell us the differences between mod harbour and FASTCGI?




Thank you in advance
Otto

Re: Secure an AJAX request

Posted: Fri Nov 13, 2020 8:15 am
by Antonio Linares
Dear Otto,

> Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi

Yes

> Can you please tell us the differences between mod harbour and FASTCGI?

mod_harbour does not keep a running EXE in the server. fastCGI uses a running EXE in the server.

We use standard mod_harbour. No need for the fastCGI version.