FiveTech Software tech support forums

[Otto]

Hello,
This is how I secure an AJAX request. I am interested in your opinions.
Instead of session or cookies, we write into the server's memory.
---------------------------------------------------------------------------------------------------
On program start we write a UUID key into the memory of the server.

function Main ()
cUUID: = GenerateUUID ()
hb_setenv ("pwd", cUUID) // memory write
---------------------------------------------------------------------------------------------------
On AJAX request we send a string - encrypted with cUUID - containing seconds ().

code = {{hb_jsonencode (encrypedtime ())}};

ogrid = $ ('# example'). DataTable ({
"ajax": {
"url": "landingpage.prg",
"type": "POST",
data: {username: matchcode, password: code, action: cAction,

---------------------------------------------------------------------------------------------------

function encrypedtime ()
local cVar: = Crypt (ALLTRIM (str (Seconds ())), cUUID)

cvar: = HB_BASE64ENCODE (cVar)
logging ("HB_BASE64ENCODE" + cVar)
return (cvar)

---------------------------------------------------------------------------------------------------
Inside AJAX call we decrypt and check the time against the time passed. If there is more than 2 sec difference we answer with an error msg.

function main ()
..
local hPairs: = AP_PostPairs ()
local cUUID: = hb_Getenv ("pwd")

code: = hb_UrlDecode (hPairs ['password'])

code: = HB_BASE64DECODE (code)
logging ("HB_BASE64DECODE" + code)
code: = Crypt (code, cUUID)

nSecsLapsed: = seconds () - val (code)
logging ("Seconds" + STR (nSecsLapsed))


Though its not 100% but will stop most.

What do you mean?

Best regards,
Otto

[Otto]

Dear Antonio,
Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi.

I just noticed that hb_setenv() applies to the entire server. So I have to send an identifyer with the name.
But then how can I delete the entries.

I think it works better with MWRITE and MREAD.

The implementation is quite easy: MWrite( "pwd", "my password" ) // memory write ? MRead( "pwd" ) // memory read from other browser tab or another user: ? MRead( "pwd" ) There is also a new MErase( "pwd" ...
by Antonio Linares
Mon May 25, 2020 8:57 am
Forum: mod_harbour

In the meantime, I try with hb_seten()
I did some tests.
FOR I := 1 to 10000
// ? "pwd"+ALLTRIM( str( I ) )
hb_setenv( "pwd" + ALLTRIM( str( I ) ), cUUID ) // memory write
next
I do not face problems. And my web pages do not have that much traffic.

Can you please tell us the differences between mod harbour and FASTCGI?




Thank you in advance
Otto

[Antonio Linares]

Dear Otto,

> Do you insert the functions mwrite and mread in mod harblour or can we only use them with Fastcgi

Yes

> Can you please tell us the differences between mod harbour and FASTCGI?

mod_harbour does not keep a running EXE in the server. fastCGI uses a running EXE in the server.

We use standard mod_harbour. No need for the fastCGI version.