Official Content

As most web requirements are solved using AJAX, we also need to strengthen the security aspects inherent to this platform. The functionalities described in this document have been implemented in order to guarantee the security of applications.

Let us look at two aspects of this functionality:

Encrypted AJAX Call

One potential threat is posed by malicious web sites that could use cross-site request forgery (XSRF) to steal data from other AJAX-enabled web applications.

This kind of attacks can be made by identifying AJAX endpoints in an application.  

By encrypting the AJAX call, a key is generated from a session ID. After obtaining the key, the only way to break this security is to obtain the same session as well, and this is (highly) unlikely.

Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.

Set Up

Bear in mind that the encryption key is generated for each session. Once it expires, the call is no longer valid and, consequently, the same is true for the page response. This is part of the security scheme itself, and it must be taken into account when setting up the web server session timeout. See Ajax Requests Security Property for more information.

Note: If the session expires the following message appear: "session has expired, page will be reloaded"

Encrypting AJAX calls is one of the possibilities available to preserve the security of an application, but it does not replace the use of SSL (a secure channel). That is clearly because SSL is based on certificates, and all the information that travels through the network is encrypted based on those certificates. So, the functionality explained here includes AJAX calls and does not require any additional configuration to the application server (such as installing certificates). If you use SSL in your server, every ajax request are made according to the SSL protocol (https).









 

Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant