Works perfectly Tony. I simplified the conditional tho'
<cfif StructKeyExists(headers,'X-Requested-With') AND
headers['X-Requested-With'] EQ 'XMLHttpRequest'>
</cfif>
-----Original Message-----
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
<cffunction name="isAjax" access="private" returntype="boolean"
output="false">
<!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
--->
<cfscript>
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, "X-Requested-With")){
return false;
}
else if(StructFind(requestHeaders,"X-Requested-With") neq
"XMLHttpRequest"){
return false;
}
else{
return true;
}
</cfscript>
</cffunction>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336273
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
