Geek Answers Handbook

Make .cfm template available only through ajax call?

I have a template configured to make ajax calls through jQuery. I pass a URL parameter called a "method" and then run <cfswitch> through each method to determine which block of code to execute.

The problem is that I do not want this page to be accessible outside of ajax call. In other words, I do not want the template to start if someone simply enters the URL into their browser.

Is there any way to do this? I thought there was a way in .php to tell which request exactly was. Anything like that in ColdFusion? Or any suggestions?

+4
source share
3 answers

jQuery introduces a query with an X-Requested-With header with the value "XMLHttpRequest". In coldfusion, you can view this by dropping the HTTP request:

 <cfdump var="#getHTTPRequestData()#">

So, all you have to do is check this header, for example:

 <cfset reqData = getHTTPRequestData()> <cfif structKeyExists(reqData.headers,"X-Requested-With") and reqData.headers["X-Requested-With"] eq "XMLHttpRequest"> Got an ajax request <cfelse> <!--- do something else, or nothing ---> </cfif>
+8
source

If you use CF8, "there is a function for this". :)

client side : use cfajax tags that populate the view (i.e. cfdiv, cfwindow, cfgrid, cfinput ...)

server side : use VerifyClient() in your .cfm template

OR:

client side : use <cfajaxproxy> to build JS for the remote CFC proxy

server side : use <cffunction name="remoteMethod" access=remote verifyClient="true">

+5
source

None of this will really protect you, it stops unmotivated, motivated (hackers there) can cheat any header that is trivially included in the request using a browser plugin such as Live HTTP Headers.

https://addons.mozilla.org/en-US/firefox/addon/3829

At best, you will be left with obscurity, not security.

+1
source

More articles:


All Articles