I have the following situation: A frontend server redirects with HTTP Post to a backend server. At entry of the backend server, I execute some PHP code before the page has been loaded. I would like to send a notification, at this point, back to the frontend server that the redirection was successful.
The entry page on the backend uses the Post/Redirect/Get pattern to prevent browser form resubmission alert, so after this the PHP code does a HTTP Get request to itself. After the Get header has been sent, the notification back to the frontend should not be sent from PHP code, to prevent sending it each time the page is refreshed on the backend server.
Can this be done from PHP code, or do I have to wait until the document has loaded and then use an Ajax call from Javascript and somehow check that the notification is only sent once (the first time)?
After all processing was complete, your backend server could redirect back to the front-end server, with any custom data to be passed either as POST vars or url parameters in a GET. The front end server would then handle the UI display of this custom data.
But I think thats a sloppy design... systems should be segregated not just for security reasons, but also for scalability. The best design IMHO would be to make bi-directional AJAX calls between your "frontend" web server to a firewalled, "backend" system.
Related
I'm working on an SDK type thing for submitting data (including file uploads) to a service that I run.
I'm doing research, and trying to figure out the best way to submit data and get a response to an external server (my server) without being blocked by XSS restrictions.
The current setup is as so:
The customer hosts a server, and uses my server side library.
They generate a client page that loads the required JS from my server.
The client page requests data from my server (if it was not passed from the SDK on page load), and displays the information to the user.
The user then triggers an event, which submits data (potentially including file uploads) to my server (not the local server with the SDK library).
My server responds success or fail and the client JS handles it appropriately.
Some notes:
My server is a private PHP server that I have complete control over.
Although I could route all data through the customer's server (as they are using my library), it is not ideal, as it requires more set up for the customer, is slower for the end user, and handling file uploads is problematic as I want those files on my server, not theirs.
I thought perhaps the file upload inputs could be in an iframe. Will this allow uploads direct to my server?
Since the customer is using my library with an API key, I can authenticate the client's requests by passing an authentication token to the front end on page load that then gets passed to my server with whatever communication method ends up working.
I am open to changes in the architecture, but this is the ideal set up for me. I am just not sure what frontend methods are best for implementing this.
JSONP would work if you only need to make GET requests, but it sounds like you need to do POSTs as well since you mention file uploads.
For your case, Cross-Origin Resource Sharing (CORS) might work. The short explanation is that a browser will send an extra header named Origin if you make a request with XMLHttpRequest to another domain. Your server needs to respond with an additional header named Access-Control-Allow-Origin with a value of * or the value the browser sent in the Origin header. There are some nuances and gotchas when using CORS, so I recommend reading the link above for a thorough explanation.
With CORS set up, you should be able to use XMLHttpRequest to upload files.
My website returns a JSON string contains database result when you call the URL through ajax. It's actually public. I mean everybody can send an ajax request to my website and simply get the result neatly (currently my website acts like a free API).
Now all I'm trying to do is authenticating all requests and just response the known ones. So I think I need to pass a token with along each request for identification.
My question: How should I make that token (that no one else can)? And how should I identify that token on server side?
If your "website" and the "app" that calls your website reside on the same domain. Then this can be done server side.
First CORS will stop any java-script app from replicating your client code on another server and calling, or the lack of.
Second. On your server just check that all incoming calls are from the same HOST or the host you want to permit. This would reject any calls that did not originate from the same domain - which you control.
I don't know what language you are using so i can't post code.
I suggest you use jwt to authorize. U can achieve this by requiring that a user log in first and respond with a token on successful request. This token will then be used for subsequent requests
I am making a node.js server and I have the code to get the server running. However, I am not sure how to get data from the client into to database. This is a game I am working on which I want to make multiplayer so I am new to node.js. Every player has a different picture on their screen and I am using javascript to draw on a canvas in my html file. How do I get information from the player and then query that to then give them an output to draw on their screen.
Thank you the sooner this can be answered the better
A browser client can do one of three things with a server.
It can request a new web page thus changing the active page in the browser (probably not what you're asking for).
It can send an ajax call to the server and receive a response from the server. An ajax call can either be used just to send information to the server or it can be used to get information from the server and then display that information to the user by changing the currently displayed web page.
You can create a lasting webSocket connection to the server. After the webSocket connection is created, then the server can send the client new data or requests or the client can send the server data or requests. Data or requests can be sent either way.
If you just want to send from the web page to the server so that the server can store something in the database, then you would likely use the 2nd option (an Ajax call). You would create a route in your node.js server (e.g. a specific URL for this Ajax call) and then from your client, you would make an Ajax request to that specific URL. You can also send data or parameters to the server with the Ajax request.
I have a PHP application which has some jQuery and Ajax features in it. I would like to know, how is it possible to regenerate the Session Token - which I'm sending to validate the Ajax request - upon each Ajax request (without loading the page)?
I have more elements on the page which are running multiple Ajax queries, however at this moment they all get the same token. So if someone has the tokey, they can submit a forged request from another form I guess.
Generating token on client side makes no sense. You can't trust anything coming from client side, as you don't know if it's your client software which sends the request, or a malicious one.
You must create as many tokens as you have ajax possible requests, and return a new token with each response.
You should generate a CSRF token on server side for each user or each session. You can store it in your database, or in your session. You should send that token to your client, and wait it back with the ajax requests. It will work until your site is not XSS vulnerable...
Btw the first step to secure your application is using the HTTPS protocol...
I'm going to write an application, having some worker threads on the server, and some log and status elements on the html page. logs and status are expected to be updated whenever an update is ready from the server side.
well, one approach is to set up a polling mechanism, like the client sends a request on specified intervals and the server sends back the last update, (if any available).
however I wonder if there is any more efficient way like an interrupt-driven approach, on which whenever an update is ready on the server a message is sent to the client through an Ajax call. and as long as no update exists no message is transferred back and forth.
first of all, is this possible to initiate a call from the server side? I mean via Ajax.
or is there any library like JQuery that facilitates such a requirement?
Thanks
Consider using web sockets (Available in HTML5) - This will allow you to skip polling an update the data immediately as the server sends up his finish request.
Read more on:
http://www.html5rocks.com/en/tutorials/websockets/basics/