I am using the jQuery GetJSON call in my ASP page. It is something like the following code:
$.ajax({
url: myUrl/myPage.aspx?callback=BookARoom,
dataType: 'json'
});
This will actually end up in a room being booked in my system, but the issue is that if a user copies this URL and pastes it in a browser, the room would get booked. Since he already has the session, I can't differentiate it in the ASP Pages. How can I prevent this?
There are two problems here.
First problem: GET
requests are supposed to be safe. There are lots of things that can trigger a GET
request. If you are changing state based on a GET
request, your code is dangerously broken. Use POST
.
Secondly, other websites can cause your user to make requests to your website. This is known as Cross-Site Request Forgery. The typical solution is to require a nonce with each request. Because the nonce is unknown to the other website, they can no longer forge requests. The link I provided will give you further reading on alternative solutions.
To prevent your average user from doing it, require it to use a POST instead of GET as the HTTP verb (the requirement must be set server side) and type: "POST" should be used in your ajax call.
To prevent your "advanced" user from spoofing it, the short answer is: you can't. There are ways around anything that you can come up with. Consider using a CSRF token to prevent others from embedding the link in another website.