[TYPO3-english] Howto protect an eID url?
bernd wilke
t3ng at bernd-wilke.net
Thu Feb 14 15:53:10 CET 2013
Am 14.02.2013 11:56, schrieb Rik Willems:
> Hi all,
>
> Through javascript I want to call an eID script that collects some data
> through a webservice. I don't want others to be able to harvest the
> eID/webservice data, so I need to protect it in some way.
>
> Who can point me in the right direction? What is the best way to protect
> eID calls in combination with javascript?
>
as all algorithm you implement only in JS can be reused you need a key
from your server in your JS, which changes by an unknown algorithm and
which allows only a restricted number of requests.
something like:
a JS-variabel is set with a coded timestamp, which has to be provided in
the eID-call as parameter and which will give results in a time interval
of 1 hour ?
it is the same than forms which must be protected against spam submits.
the used algorithms are:
captcha,
IP white-/blacklists,
hidden (and coded) values (cookies and/or undisplayed input-fields)
containing timestamps, referer, chashs to data stored on the server.
with algorithms which check time-intervals, IP, requests per time from
unique IP, referer, empty and filled input-fields (input fields with
"display:none" should not contain values, ...)
and all of these methods may filter some misuse and also filter some
valid usage.
bernd
--
http://www.pi-phi.de/cheatsheet.html
More information about the TYPO3-english
mailing list