issuhub.com

AJAX - The Complete Reference

(avery) #1

PART II


Chapter 7: Security Concerns 329


Later on, when the request is made, the header is added with the passed value:

/* Set signature header */

if (request.signRequest)

request.xhr.setRequestHeader(request.requestSignature, request.signRequest);

Now on the server, the request signature is verified and allowed or denied. In this case,

the server has a secret that was then combined with some passed user id to verify the

integrity of the request. Obviously, this would normally be dynamic per user, but in this

case to demonstrate it is directly coded into the example:

$headers = getallheaders();

if (isset($headers["X-Signature"]))

$signature = $headers["X-Signature"];

else

$signature = "";

$userID = gpc("userID");

$checkSumPair = "thisisourrandomchecksumvalue";

$verifySignature = md5($userID. $checkSumPair);

if ($signature == "" || $signature != $verifySignature)

print "<span style='color:red;'>ERROR: This request is incorrect and has been

cancelled.</span>";

else

print "<h2>Your Account Details</h2>Account Number: 33345564<br />Balance:

$33.21<br />SSN: 333-33-3333";

You can explore request signatures with the example at http://ajaxref.com/ch7/

requestsignature.php, also shown in Figure 7-15.

Similarly, the library was modified to support response signatures. Here, a property

signedResponse is added to the options object. This option can be set to true to check to

make sure that requests are signed by an MD5 hash:

var options = { method: "GET",

payload : payload,

signedResponse: true,

outputTarget: "responseOutput"};

AjaxTCR.comm.sendRequest("http://ajaxref.com/ch7/sendsignature.php", options);

Up on the server, we need to make sure that responses are signed appropriately. Again,

everything is hard-coded.

$data = "<h2>Your Account Details</h2>Account Number: 33345564<br />Balance:

$33.21<br />SSN: 333-33-3333";

$verifySignature = md5($data);

header("Content-MD5: $verifySignature");

print $data;

Back on the client-side, when the response is received, if it has been flagged for

checking, the library looks at the Content-MD5 header and compares that to the value
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.