Secure an AJAX request

mod_harbour is an Apache module that allows to run PRGs directly on the web !!!

Secure an AJAX request

Postby Otto » Thu Nov 12, 2020 6:00 pm

Hello,
This is how I secure an AJAX request. I am interested in your opinions.
Instead of session or cookies, we write into the server's memory.
---------------------------------------------------------------------------------------------------
On program start we write a UUID key into the memory of the server.

function Main ()
cUUID: = GenerateUUID ()
hb_setenv ("pwd", cUUID) // memory write
---------------------------------------------------------------------------------------------------
On AJAX request we send a string - encrypted with cUUID - containing seconds ().

code = {{hb_jsonencode (encrypedtime ())}};

ogrid = $ ('# example'). DataTable ({
"ajax": {
"url": "landingpage.prg",
"type": "POST",
data: {username: matchcode, password: code, action: cAction,

---------------------------------------------------------------------------------------------------

function encrypedtime ()
local cVar: = Crypt (ALLTRIM (str (Seconds ())), cUUID)

cvar: = HB_BASE64ENCODE (cVar)
logging ("HB_BASE64ENCODE" + cVar)
return (cvar)

---------------------------------------------------------------------------------------------------
Inside AJAX call we decrypt and check the time against the time passed. If there is more than 2 sec difference we answer with an error msg.

function main ()
..
local hPairs: = AP_PostPairs ()
local cUUID: = hb_Getenv ("pwd")

code: = hb_UrlDecode (hPairs ['password'])

code: = HB_BASE64DECODE (code)
logging ("HB_BASE64DECODE" + code)
code: = Crypt (code, cUUID)

nSecsLapsed: = seconds () - val (code)
logging ("Seconds" + STR (nSecsLapsed))


Though its not 100% but will stop most.

What do you mean?

Best regards,
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: Secure an AJAX request

Postby Otto » Thu Nov 12, 2020 6:58 pm

Dear Antonio,
Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi.

I just noticed that hb_setenv() applies to the entire server. So I have to send an identifyer with the name.
But then how can I delete the entries.

I think it works better with MWRITE and MREAD.
The implementation is quite easy: MWrite( "pwd", "my password" ) // memory write ? MRead( "pwd" ) // memory read from other browser tab or another user: ? MRead( "pwd" ) There is also a new MErase( "pwd" ...
by Antonio Linares
Mon May 25, 2020 8:57 am
Forum: mod_harbour


In the meantime, I try with hb_seten()
I did some tests.
FOR I := 1 to 10000
// ? "pwd"+ALLTRIM( str( I ) )
hb_setenv( "pwd" + ALLTRIM( str( I ) ), cUUID ) // memory write
next
I do not face problems. And my web pages do not have that much traffic.

Can you please tell us the differences between mod harbour and FASTCGI?




Thank you in advance
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: Secure an AJAX request

Postby Antonio Linares » Fri Nov 13, 2020 8:15 am

Dear Otto,

> Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi

Yes

> Can you please tell us the differences between mod harbour and FASTCGI?

mod_harbour does not keep a running EXE in the server. fastCGI uses a running EXE in the server.

We use standard mod_harbour. No need for the fastCGI version.
regards, saludos

Antonio Linares
www.fivetechsoft.com
User avatar
Antonio Linares
Site Admin
 
Posts: 42098
Joined: Thu Oct 06, 2005 5:47 pm
Location: Spain


Return to mod_harbour

Who is online

Users browsing this forum: No registered users and 9 guests