Hi .. I have a function which recieves an ajax get request and does
something with the database and returns a json object and looks like
the below:-
@app.route('/checkajax')
def myfunc():
status=request.args.get('status')
"commit status to the database"
return jsonify(theresonse="done")
Now my doubt is that any user can go through the javascript and get to
know that mysite/ajax is being called and can send some request
directly to this function bypassing any ajax request .
How can I avoid this. It would be great if someone could also tell me
how do I access the post data here if i send data via a post request.
Flask docs talk about handling the get request by request.args and
form posts by request.form['attr']. Would request.values do the job.
I hope someone helps me here..
What client library are you using? I'm using JQuery and WTForms in combination to handle my form submission. JQuery posts to my URL and once WTForms validates the data I then use request.is_xhr to determine if its ajax and return a json response otherwise I do redirect. Works very well. I prefer JQuery as my client but there are heaps of alternatives. Cheers Adam On Nov 8, 2010, at 1:43 PM, alice ni wrote: > Hi .. I have a function which recieves an ajax get request and does > something with the database and returns a json object and looks like > the below:- > > @app.route('/checkajax') > def myfunc(): > status=request.args.get('status') > "commit status to the database" > return jsonify(theresonse="done") > > Now my doubt is that any user can go through the javascript and get to > know that mysite/ajax is being called and can send some request > directly to this function bypassing any ajax request . > How can I avoid this. It would be great if someone could also tell me > how do I access the post data here if i send data via a post request. > Flask docs talk about handling the get request by request.args and > form posts by request.form['attr']. Would request.values do the job. > I hope someone helps me here..
Thanks a tonne.. request.is_xhr was what I did not know about.. I am using dojo and it is doing a good job or I am able to do a decent job with it... On Tue, Nov 9, 2010 at 1:22 AM, Adam Oakman <adam.oakman@gmail.com> wrote: > What client library are you using? I'm using JQuery and WTForms in > combination to handle my form submission. JQuery posts to my URL and > once WTForms validates the data I then use request.is_xhr to determine > if its ajax and return a json response otherwise I do redirect. Works > very well. I prefer JQuery as my client but there are heaps of > alternatives. > > Cheers > > Adam > > On Nov 8, 2010, at 1:43 PM, alice ni wrote: > >> Hi .. I have a function which recieves an ajax get request and does >> something with the database and returns a json object and looks like >> the below:- >> >> @app.route('/checkajax') >> def myfunc(): >> status=request.args.get('status') >> "commit status to the database" >> return jsonify(theresonse="done") >> >> Now my doubt is that any user can go through the javascript and get to >> know that mysite/ajax is being called and can send some request >> directly to this function bypassing any ajax request . >> How can I avoid this. It would be great if someone could also tell me >> how do I access the post data here if i send data via a post request. >> Flask docs talk about handling the get request by request.args and >> form posts by request.form['attr']. Would request.values do the job. >> I hope someone helps me here.. > >
Le 09/11/2010 04:59, alice ni a écrit : > Thanks a tonne.. request.is_xhr was what I did not know about.. Hi, Note that you should not rely on request.is_xhr or anything given by the client for security. It is very easy to forge any HTTP request. It is also a good practice to not change "state" in a GET request since it may be done multiple times by proxies or when the user hits the back button of the browser. Use a POST request instead. Regards, -- Simon Sapin
Hi Alice, I've had this concern as well, My current work around is to use the sessions to determine if a valid session is active (having previously set a flag on successful authentication) else I return an empty dict.Not perfect, but it works. I also use posts instead of gets having experienced what Simon described. Regards, Mayowa On Tue, Nov 9, 2010 at 1:27 AM, Simon Sapin <simon.sapin@exyr.org> wrote: > Le 09/11/2010 04:59, alice ni a écrit : > > Thanks a tonne.. request.is_xhr was what I did not know about.. > > Hi, > > Note that you should not rely on request.is_xhr or anything given by the > client for security. It is very easy to forge any HTTP request. > It is also a good practice to not change "state" in a GET request since > it may be done multiple times by proxies or when the user hits the back > button of the browser. Use a POST request instead. > > Regards, > -- > Simon Sapin >
Thanks Mayowa and Simon, I am also using POST now instead of GET, but I am not sure how effective checking for valid sessions could be considering that a person can very well, login, authenticate himself and try accessing the function. n Tue, Nov 9, 2010 at 10:21 AM, Mayowa Akinyemi <mayowa@gmail.com> wrote: > Hi Alice, > I've had this concern as well, > My current work around is to use the sessions to determine if a valid > session is active (having previously set a flag on successful > authentication) else I return an empty dict.Not perfect, but it works. > > I also use posts instead of gets having experienced what Simon described. > > Regards, > Mayowa > > On Tue, Nov 9, 2010 at 1:27 AM, Simon Sapin <simon.sapin@exyr.org> wrote: >> >> Le 09/11/2010 04:59, alice ni a écrit : >> > Thanks a tonne.. request.is_xhr was what I did not know about.. >> >> Hi, >> >> Note that you should not rely on request.is_xhr or anything given by the >> client for security. It is very easy to forge any HTTP request. >> It is also a good practice to not change "state" in a GET request since >> it may be done multiple times by proxies or when the user hits the back >> button of the browser. Use a POST request instead. >> >> Regards, >> -- >> Simon Sapin > >
So this is what I have done till now:- I am checking whether a valid session is present while the function is being called. I am using POST rather than GET I look for specific headers by using request.is_xhr else I induce a redirect. I have compressed the javascript using dojo shrinksafe(..i am using dojo..) Anything else that can and should be done?.. On Tue, Nov 9, 2010 at 11:18 AM, alice ni <alice.ni19@gmail.com> wrote: > Thanks Mayowa and Simon, I am also using POST now instead of GET, but > I am not sure how effective checking for valid sessions could be > considering that a person can very well, login, authenticate himself > and try accessing the function. > > n Tue, Nov 9, 2010 at 10:21 AM, Mayowa Akinyemi <mayowa@gmail.com> wrote: >> Hi Alice, >> I've had this concern as well, >> My current work around is to use the sessions to determine if a valid >> session is active (having previously set a flag on successful >> authentication) else I return an empty dict.Not perfect, but it works. >> >> I also use posts instead of gets having experienced what Simon described. >> >> Regards, >> Mayowa >> >> On Tue, Nov 9, 2010 at 1:27 AM, Simon Sapin <simon.sapin@exyr.org> wrote: >>> >>> Le 09/11/2010 04:59, alice ni a écrit : >>> > Thanks a tonne.. request.is_xhr was what I did not know about.. >>> >>> Hi, >>> >>> Note that you should not rely on request.is_xhr or anything given by the >>> client for security. It is very easy to forge any HTTP request. >>> It is also a good practice to not change "state" in a GET request since >>> it may be done multiple times by proxies or when the user hits the back >>> button of the browser. Use a POST request instead. >>> >>> Regards, >>> -- >>> Simon Sapin >> >> >
Le 09/11/2010 16:39, alice ni a écrit :
> Anything else that can and should be done?..
For what purpose?
No nothing I got it.Considering the fact that the function is open to an ajax call , I was worried that someone might try to break into the function directly.But the point is that it has to be treated the same way like any other function in the app. On Tue, Nov 9, 2010 at 1:23 PM, Simon Sapin <simon.sapin@exyr.org> wrote: > Le 09/11/2010 16:39, alice ni a écrit : >> Anything else that can and should be done?.. > > For what purpose? >