[TYPO3-english] Howto protect an eID url?

bernd wilke t3ng at bernd-wilke.net
Thu Feb 14 15:53:10 CET 2013

Am 14.02.2013 11:56, schrieb Rik Willems:
> Hi all,
> Through javascript I want to call an eID script that collects some data
> through a webservice. I don't want others to be able to harvest the
> eID/webservice data, so I need to protect it in some way.
> Who can point me in the right direction? What is the best way to protect
> eID calls in combination with javascript?
as all algorithm you implement only in JS can be reused you need a key 
from your server in your JS, which changes by an unknown algorithm and 
which allows only a restricted number of requests.

something like:
a JS-variabel is set with a coded timestamp, which has to be provided in 
the eID-call as parameter and which will give results in a time interval 
of 1 hour ?

it is the same than forms which must be protected against spam submits.

the used algorithms are:
IP white-/blacklists,
hidden (and coded) values (cookies and/or undisplayed input-fields) 
containing timestamps, referer, chashs to data stored on the server.

with algorithms which check time-intervals, IP, requests per time from 
unique IP, referer, empty and filled input-fields (input fields with 
"display:none" should not contain values, ...)

and all of these methods may filter some misuse and also filter some 
valid usage.


More information about the TYPO3-english mailing list