How to secure my generic handler calls?

Question

I am creating a myspace application and for some database entries I am using generic handlers which I have hosted on another website. From my myspace application I use ajax calls to those handlers to perform the activities that I want. I want to know how can I make these ajax calls secure? I mean I want to be sure that the handlers are being called by only the myspace app and not by entering url into the browser etc. Any ideas?

Answer 1

You can secure you Generic Web Handler by doing trick with UrlReferrer for e.g

if (context.Request.UrlReferrer == null) 
 { 
      context.Response.Write("Invalid Request"); 
      return; 
 }

In addition you can check if UrlReferrer != null then domain Name must match with your incoming request url say for e.g.

 if(Request.UrlReferrer.ToString().indexOf("http://www.tyamjoli.com")!=-1)
 {
 //Valid request 
 }

Answer 2

I don't know much about myspace apps but is there a server component to it? If so, you could first request a "token" from the app which would be the encrypted action and some arbitrary timeout, say 3 seconds. The token is then passed to the generic handler which decrypts it then checks the timeout. If valid, then the decrypted action is performed.

Outside factors such as network latency and un-synchronized clocks could keep some actions from being performed. This should hamper simple replay attacks but is still vulnerable to a scripted attack.

Answer 3

This is 100% impossible. Everyone will have access to your javascript and can modify it however they want. They can use TamperData to view all requests that the browser makes and drop/modify/replay them.