php - Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application? -

-

i'm working on ajax-driven application requests pass through amounts main controller which, @ bare bones, looks this:

if(strtolower($_server['http_x_requested_with']) == 'xmlhttprequest') {     fetch($page); }

is sufficient protect against cross-site request forgeries?

it's rather inconvenient have rotating token when entire page isn't refreshed each request.

i suppose pass , update unique token global javascript variable every request -- somehow feels clumsy , seems inherently unsafe anyway.

edit - perhaps static token, user's uuid, better nothing?

edit #2 - the rook pointed out, might hair-splitting question. i've read speculation both ways , heard distant whispers older versions of flash being exploitable kind of shenanigans. since know nothing that, i'm putting bounty can explain how csrf risk. otherwise, i'm giving artefacto. thanks.

i'd it's enough. if cross-domain requests permitted, you'd doomed anyway because attacker use javascript fetch csrf token , use in forged request.

a static token not great idea. token should generated @ least once per session.

edit2 mike not right after all, sorry. hadn't read page linked properly. says:

a simple cross-site request 1 that: [...] not set custom headers http request (such x-modified, etc.)

therefore, if set x-requested-with, request has pre-flown, , unless respond pre-flight options request authorizing cross-site request, won't through.

edit mike right, of firefox 3.5, cross-site xmlhttprequests permitted. consequently, have check if origin header, when exists, matches site.

if (array_key_exists('http_origin', $_server)) {     if (preg_match('#^https?://myserver.com$#', $_server['http_origin'])         dostuff(); } elseif (array_key_exists('http_x_requested_with', $_server) &&         (strtolower($_server['http_x_requested_with']) == 'xmlhttprequest'))     dostuff();

Comments

Post a Comment

Popular posts from this blog

windows - Why does Vista not allow creation of shortcuts to "Programs" on a NonAdmin account? Not supposed to install apps from NonAdmin account? -

-
i'm working on installer (using wise installer, older version 1999). i'm creating shortcut in programs group exe. i'm creating shortcut on desktop. if install run admin account, create shortcut on common desktop , common program group (i.e., read hkey_local_machine\explorer\shellfor users). if it's installed nonadmin account, install hkey_current_user's desktop , program group. behavior install on: xp nonadmin - desktop , program shortcuts install ok. vista admin - desktop & program shortcuts install ok. vista non-admin, uac off - desktop shortcut installs, program shortcut not . however, program group folder they're supposed installed does created. at end of install, launch program group has shorcut. launches in of above. can manually drag shortcut folder , works fine. i'm bloody baffled. i've tried installing other commercial apps (opera, foxit, firefox) firefox install under nonadmin (and if select other program files,...
Read more

c++ - How do I get a multi line tooltip in MFC -

-
right now, have tool tip pops when hover on edit box. problem tool tip contains multiple error messages , in 1 long line. need have each error message on own line. error messages contained in cstring new line seperating them. my existing code below. bool ontooltiptext(uint, nmhdr* pnmhdr, lresult* presult) { assert(pnmhdr->code == ttn_needtexta || pnmhdr->code == ttn_needtextw); // need handle both ansi , unicode versions of message tooltiptexta* pttta = (tooltiptexta*)pnmhdr; tooltiptextw* ptttw = (tooltiptextw*)pnmhdr; // tchar szfulltext[256]; cstring strtiptext=_t(""); uint nid = pnmhdr->idfrom; if (pnmhdr->code == ttn_needtexta && (pttta->uflags & ttf_idishwnd) || pnmhdr->code == ttn_needtextw && (ptttw->uflags & ttf_idishwnd)) { // idfrom hwnd of tool nid = ::getdlgctrlid((hwnd)nid); } //m_errprojaccel[ch] contains 1 or more error messages each...
Read more

unit testing - How to mock PreferenceManager in Android? -

-
i've written class using context , third party library , sharedpreferences preferencemanager . it's possible mock context , third party library can mocked using mocking framework, preferencemanager ? i have 2 methods: public void savestring(thirdpartyobject obj) { sharedpreferences apppreferences = preferencemanager.getdefaultsharedpreferences(mcontext); sharedpreferences.editor editor = apppreferences.edit(); editor.putstring(mcontext.getstring( r.string.preferences_string_name), obj.getstring()); editor.commit(); } and corresponding, loads preferences. it doesn't want mock instance of preferencemanager (which used in preferencefragment or preferenceactivity ). you want either: a mock sharedpreferences , in case can mock context#getsharedpreferences (which called preferencemanager#getdefaultsharedpreferences anyhow). you'll have make mock sharedpreferences.editor if preferences edited, above. know how moc...
Read more