Home/ Questions/Q 150523
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T09:18:15+00:00

I’m writing a web app that will be making requests via AJAX and would

  • 0

I’m writing a web app that will be making requests via AJAX and would like to lock down those calls. After a little research, I am considering using some form of random token (string) to be passed back along with the request (GUID?). Here’s the important parts of my algorithm:

  1. Assign a token to a JavaScript variable (generated server-side).
  2. Also, store that token in a DB and give it a valid time period (i.e. 10 minutes).
  3. If the token has still not been used and is within it’s valid time window, allow the call.
  4. Return requested information if valid, otherwise, log the request and ignore it.

With an eye toward security, does this make sense? For the token, would a GUID work – should it be something else? Is there a good way to encrypt variables in the request?

EDIT:

I understand that these AJAX requests wouldn’t be truly ‘secure’ but I would like to add basic security in the sense that I would like to prevent others from using the service I intend to write. This random token would be a basic, front-line defense against abusive calls. The data that would be requested (and even submitted to generate such data) would is HIGHLY unlikely to be repeated.

Maybe I’m wrong in using a GUID… how about a randomly generated string (token)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. If you are doing this to trust code that you sent to the client browser, then change direction. You really don’t want to trust user input, which includes calls from js that you sent to the browser. The logic on the server should be made so that nothing wrong can be done through there. That said, asp.net uses a signed field, you might want to go that way if absolutely necessary.

    Expanding a bit: Asp.net tamper-proofs the viewstate, which is sent as a html hidden field (depending on the configuration). I am sure there are better links as reference, but at least it is mentioned on this one: http://msdn.microsoft.com/en-us/library/ms998288.aspx

    validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:

    • SHA1–SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.

    A link for the .net class for that algorithm http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1.hmacsha1.aspx.

    Update 2: For tamper-proofing you want to sign the data (not encrypt it). Note that when using cryptography in general, you should really avoid using a custom implementation or algorithm. Regarding the steps, I would stick to:

    • Assign a token to a JavaScript variable (generated server-side). You include info to identify the request and the exact date&time where it was issued. The signature will validate the server side application issued the data.
    • Identify double submits if appropriate.

    That said, the reason asp.net validates the viewstate by default, is because devs rely on info coming in there as being handled only by the application when they shouldn’t. The same probably applies for your scenario, don’t rely on this mechanism. If you want to evaluate whether someone can do something use authentication+authorization. If you want to know the ajax call is sending only valid options, validate them. Don’t expose an API at granularity level than the one where you can appropriately authorize the actions. This mechanism is just an extra measure, in case something slipped, not a real protection.

    Ps. with the HMACSHA1 above, you would instantiate it with a fixed key

    • 0