Hello,
This is how I secure an AJAX request. I am interested in your opinions.
Instead of session or cookies, we write into the server's memory.
---------------------------------------------------------------------------------------------------
On program start we write a UUID key into the memory of the server.
function Main ()
cUUID: = GenerateUUID ()
hb_setenv ("pwd", cUUID) // memory write
---------------------------------------------------------------------------------------------------
On AJAX request we send a string - encrypted with cUUID - containing seconds ().
code = {{hb_jsonencode (encrypedtime ())}};
ogrid = $ ('# example'). DataTable ({
"ajax": {
"url": "landingpage.prg",
"type": "POST",
data: {username: matchcode, password: code, action: cAction,
---------------------------------------------------------------------------------------------------
function encrypedtime ()
local cVar: = Crypt (ALLTRIM (str (Seconds ())), cUUID)
cvar: = HB_BASE64ENCODE (cVar)
logging ("HB_BASE64ENCODE" + cVar)
return (cvar)
---------------------------------------------------------------------------------------------------
Inside AJAX call we decrypt and check the time against the time passed. If there is more than 2 sec difference we answer with an error msg.
function main ()
..
local hPairs: = AP_PostPairs ()
local cUUID: = hb_Getenv ("pwd")
code: = hb_UrlDecode (hPairs ['password'])
code: = HB_BASE64DECODE (code)
logging ("HB_BASE64DECODE" + code)
code: = Crypt (code, cUUID)
nSecsLapsed: = seconds () - val (code)
logging ("Seconds" + STR (nSecsLapsed))
Though its not 100% but will stop most.
What do you mean?
Best regards,
Otto
Secure an AJAX request
Secure an AJAX request
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
Re: Secure an AJAX request
Dear Antonio,
Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi.
I just noticed that hb_setenv() applies to the entire server. So I have to send an identifyer with the name.
But then how can I delete the entries.
I think it works better with MWRITE and MREAD.
I did some tests.
FOR I := 1 to 10000
// ? "pwd"+ALLTRIM( str( I ) )
hb_setenv( "pwd" + ALLTRIM( str( I ) ), cUUID ) // memory write
next
I do not face problems. And my web pages do not have that much traffic.
Can you please tell us the differences between mod harbour and FASTCGI?
Thank you in advance
Otto
Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi.
I just noticed that hb_setenv() applies to the entire server. So I have to send an identifyer with the name.
But then how can I delete the entries.
I think it works better with MWRITE and MREAD.
In the meantime, I try with hb_seten()The implementation is quite easy: MWrite( "pwd", "my password" ) // memory write ? MRead( "pwd" ) // memory read from other browser tab or another user: ? MRead( "pwd" ) There is also a new MErase( "pwd" ...
by Antonio Linares
Mon May 25, 2020 8:57 am
Forum: mod_harbour
I did some tests.
FOR I := 1 to 10000
// ? "pwd"+ALLTRIM( str( I ) )
hb_setenv( "pwd" + ALLTRIM( str( I ) ), cUUID ) // memory write
next
I do not face problems. And my web pages do not have that much traffic.
Can you please tell us the differences between mod harbour and FASTCGI?
Thank you in advance
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
- Antonio Linares
- Site Admin
- Posts: 37481
- Joined: Thu Oct 06, 2005 5:47 pm
- Location: Spain
- Contact:
Re: Secure an AJAX request
Dear Otto,
> Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi
Yes
> Can you please tell us the differences between mod harbour and FASTCGI?
mod_harbour does not keep a running EXE in the server. fastCGI uses a running EXE in the server.
We use standard mod_harbour. No need for the fastCGI version.
> Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi
Yes
> Can you please tell us the differences between mod harbour and FASTCGI?
mod_harbour does not keep a running EXE in the server. fastCGI uses a running EXE in the server.
We use standard mod_harbour. No need for the fastCGI version.