Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise)
On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews <li...@commadelimited.com>wrote: > > Oooh. That's a good idea. Since we're using it for AJAX, then make it so > that it can ONLY be used as AJAX, which would prevent other sites from > using > it because of the cross site scripting. > > Great idea Tony, thanks! > > -----Original Message----- > From: Tony Bentley [mailto:cascadefreehee...@gmail.com] > Sent: Friday, August 13, 2010 2:55 PM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > I use a cfc that checks to see if the method being called is from within > the > domain, is indeed ajax and that the method is indeed is accessed remotely, > otherwise abort the request. If you are doing cross site requests, pass a > unique key in your form. > > Is it ajax? > > <cffunction name="isAjax" access="private" returntype="boolean" > output="false"> > <!--- > all of the user management requests are going to come via ajax > within the domain. > if a request is not from this site and not ajax, abort the request > run this check on any of the remote methods > ---> > <cfscript> > requestHeaders = getHTTPRequestData().headers; > if(not StructKeyExists(requestHeaders, "X-Requested-With")){ > return false; > } > else if(StructFind(requestHeaders,"X-Requested-With") neq > "XMLHttpRequest"){ > return false; > } > else{ > return true; > } > </cfscript> > </cffunction> > > > Called on init: > > <cfparam name="url.method" default=""> > <cfscript> > accessRemote = false; > cfcname = getmetadata(this); > for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ > fname = cfcname.FUNCTIONS[i]; > if(fname.name eq url.method && fname.access eq "remote"){ > accessRemote = true; > break; > } > } > if(not isAjax() and not accessRemote){ > abort();//this is a simple cfabort function for MX > } > </cfscript> > > > > On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews > <li...@commadelimited.com>wrote: > > > > > I have a method that I'm exposing remotely. We'll be using AJAX calls > > to insert usability stats about a new application. I'm working through > > the code when I realize that since it's remote access, anyone from any > > site could post to it and skew our results. > > > > I'm wondering what's the best way to prevent access to this URL from > > any other site, or code. My first thought was to compare the current > > URL, dev1 for example, to the URL the request was made from, or > > perhaps the IP address. But I'm not sure how to get that information. > > > > Anyone have ideas? > > > > > > > > andy matthews > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
