I am just trying to access a webservice or any webpage for that matter through ajax(only ajax is allowed for some reasons).The webservice is protected by coroporate SSO. In the sense, when the webpage X is requested for the first time, you get redirected to the login page Y,which is outside of the app. Upon authentication,you get auto redirected to the page X. Subsequent requests to page X will work without authentication. Of course, all these are handled through cookies. Whether or not to display login page Y is determined by the presence/validity/content of a few cookies.
Now, I am trying to access this protected resource X through ajax. Is it possible to achieve this using ajax? How can cookies be handled in an ajax request?
AJAX uses GET and POST requests, so cookies are sent in the same way as when you do a GET or POST request when loading a new page.
Related
I want to call payment gateway, for that payment gateway is called using form submission with the method as post, Can I call the same gateway using post API call from node js HTTP module, I am confused, that I cannot call gateway using post API cause it won't redirect to new page, and form have method and action which can redirect to new page with post call?
There are multiple ways to submit a form from the browser:
HTML form, submit button, user presses submit button, no Javascript involved.
HTML form in the page, Javascript gets DOM element for the form and calls .submit() method on the form object.
Ajax call using the XMLHttpRequest interface with the POST method and manually sending appropriate form data.
Ajax Fetch call with the POST method and manually sending appropriate form data.
With #1 or #2, the browser sends the form and the browser will pay attention to redirects and will display the form response (whether redirected or not) in the browser.
With #3 and #4, the form is sent via Javascript and the response comes back to your Javascript. #3 does not process redirects. #4 has an option to process redirects. Here's more info on each of the above options. #3 and #4 do not affect the browser display is not affected at all unless you program your own Javascript to process the request and affect the browser display (either by inserting content or setting window.location to a new URL.
Here's some more info on the above schemes:
Programmatic Ajax calls with XMLHttpRequest do not process redirects or the response from the Ajax call in any way. They just return that response to YOUR Javascript. Keep in mind that a redirect is just one specific type of response you can get back from an Ajax call. This is different than a browser submitted form POST.
Programmatic Ajax calls with the fetch() interface offer an option to follow redirects automatically. See the redirect option here. But, even in this case, all the fetch() interface does is get the contents of the redirected URL. It does not cause the browser page to change. To so that, you would have to write your own Javascript code to either see the 3xx redirect response and then set window.location to the new redirect URL. Or, you would have to let the interface follow the redirect automatically and then do something with the new redirected content that it will return to your Javascript.
These programmatic requests different than letting the browser submit a form for you. In the browser submitted case (without using Javascript to submit the form), the browser follows redirects and updates the display in the browser based on whatever content is returned from the form response.
When you submit a form via Ajax, the browser does nothing automatically with the server response. That response goes back to your Javascript and your script decides what to do with it. If you want your script to follow redirects, then you have to examine the response, see if it's a 3xx status, get the new URL from the appropriate header and set window.location to that new URL. That will then cause the browser to display the redirect page. But, you have to either program that yourself or find an Ajax library that offers a feature to do it form. A standard Ajax call just returns the form POST response back to your Javascript - that's all. Your script has to process that response and decide what to do next.
I am confused, that I cannot call gateway using post API cause it won't redirect to new page
You can. You just need to write your own Javascript to process the response from the programmatic API call and, if its a 3xx redirect, then set window.location to the new URL to instruct the browser to load the new redirected page.
Form data is usually sent like
address=Stackoverflow&poster=Ashkay
Whereas a normal post in JSON format will be like
{
"address": "stackoverflow",
"poster": "Ashkay"
}
You can mimic a form POST request in NodeJS, e.g:
const request = require("request");
request({
uri: "http://www.test.com/payment/gateway.php",
method: "POST",
form: {
address: "Stackoverflow",
name: "Ashkay"
}
}, function(error, response, body) {
console.log(body);
});
I've noticed one interesting thing in Chrome browser. For example, we have two pages on our site: A and B, both pages load script X which makes AJAX call to a server. When user goes to the page A, requests to the script X and AJAX call has URL of the page A as referrer. That's fine. On the page A we have a link to page B. If user click on it he will be redirected to the page B. Here we load the script X and make the same AJAX call. Now the referrer in headers for the script X and AJAX call is the URL of page B. That is still fine. Now if user click back button he will be redirected to page A. The script X will be requested with referrer A, but the AJAX call has referrer B.
I hage two questions:
Why? If you try it in FireFox browser then it works as expected. All AJAX calls have the actual page URL as referrer.
How to fix it? Is there a way to fix it the referrer header or I can only set the referrer as GET/POST parameter?
Thanks
I've also found that the request is loaded from cache. I've added cache buster and now it's working fine.
EDIT: Re-wrote the question to be more general and focus on the core problem.
I've made a chrome extension that allows a user to play a mobile game in chrome. This is possible since the game is web-based.
Essentially what the extension does is:
sends an ajax POST request with the user id
the request returns a session id
open a new tab to a particular url passing the session id as a param
the page is then redirected to the game home page on successful authorization
otherwise, redirects to an error page
When I try to replicate this in Node.js:
I use request to send the POST request with the user id
the request returns a session id
I send a GET request to a particular url passing the session id as a param
the request returns with a status 500 response
It appears that the response body is the error page
I used a cookieJar (request.jar()) to handle the cookies/session, but I can't get it to work the same way the browser does it.
Any ideas?
I have a service url that includes username password like this: http://service.com/token?username=asd&password=123 But I can not send a request from javascript, because username and password is appearing from browser source code. So I created a Proxy page on server that sends request to service and gets token like this: http://mydomain.com/Token/GetToken
I created an index page http://mydomain.com/index.html and javascript code sends request to Proxy page and gets token.
But somebody write a server page that sended request to my Proxy page (http://mydomain.com/Token/GetToken). And can get token.
I want to that only my rendered pages should send request to my Proxy page. Is this possible?
I am using .net mvc Project.
The general approach is to use an existing authentication framework to protect http://mydomain.com/Token/GetToken.
If you're using a PHP backend I suggest uLogin
Imagine situation, I've ajax.php file that displays specific information based on ajax request.
How can I block all requests going to ajax.php file except coming via ajax?
I'm looking for something like this in php:
if ($ajax) {
//Do soemthing
}
Will this guarantee that malicious user won't be able to see what ajax.php has to display? Since ajax has same origin policy, request must originate from the same domain, so in theory nobody will be able to call my ajax.php?
There is no way to reliably tell whether a request is an Ajax request or not, ever. Any client side information (like the referer) can be spoofed and you can not trust any of it.
You secure Ajax requests like any other request - usually through a session-based login system that checks whether the requesting client is logged in, and what they are allowed to see.
Other answers already mentioned it: there's no reliable way to determine if a script was called via an AJAX request. But I use this code to detect AJAX request:
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest');
Keep in mind that it can be spoofed, so don't depend on it.
What am doing to secure our ajax requests - Whenever any user logins at that time generate a token for the user e.g get the micro time and then convert into some hash, then attach this token with that user.