Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting.
Great idea Tony, thanks! -----Original Message----- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? <cffunction name="isAjax" access="private" returntype="boolean" output="false"> <!--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods ---> <cfscript> requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, "X-Requested-With")){ return false; } else if(StructFind(requestHeaders,"X-Requested-With") neq "XMLHttpRequest"){ return false; } else{ return true; } </cfscript> </cffunction> Called on init: <cfparam name="url.method" default=""> <cfscript> accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method && fname.access eq "remote"){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } </cfscript> On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews <li...@commadelimited.com>wrote: > > I have a method that I'm exposing remotely. We'll be using AJAX calls > to insert usability stats about a new application. I'm working through > the code when I realize that since it's remote access, anyone from any > site could post to it and skew our results. > > I'm wondering what's the best way to prevent access to this URL from > any other site, or code. My first thought was to compare the current > URL, dev1 for example, to the URL the request was made from, or > perhaps the IP address. But I'm not sure how to get that information. > > Anyone have ideas? > > > > andy matthews > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
