Security Software Conflicts with AJAX? 84
ithyus needs help with the following: "My employer is running an e-commerce site that, until recently, our customers were quite happy to use. With increased traffic to the site we decided to implement AJAX to try to reduce the load on our database servers. In doing so, our customers have experienced all kinds of problems with security/privacy software such as Norton and McAfee. It seems that no matter what we do we can't make these programs happy. Bigger companies such as Google have documented work arounds for some of them, but we wouldn't be able to keep our docs current with all the software that's presently out there. I'd really like to know how Slashdot's readers have handled these issues. Since security programs don't appear to be compatible with the emerging features of the Internet, do you simply suggest that the customer disable the offending software or do you opt to offer some support for the more popular ones? Are those really the only two options? How do you justify your method?"
Re:what are the specific problems? (Score:1)
Re:what are the specific problems? (Score:1)
(Yes, referers can be spoofed and needn't be specified in HTTP, but every browser sends them by default
Re:what are the specific problems? (Score:1)
http://www.your-site.com/do_action.php?action=del
Check the referer. It's not your-site.com? Don't delete all my stuff.
Re:what are the specific problems? (Score:2, Funny)
Re:what are the specific problems? (Score:2)
No, that's a poor use of Referer. What happens when you have a blank Referer header? You can either ignore the request, which breaks things for people who have disabled that header, or you can go ahead with the request, which causes security problems for people who have disabled that header.
Established best practice for avoiding attacks like this is to generate a random value tied to the user to be used as a hidden field in each legitimate form and check for valid values for each request.
Re:what are the specific problems? (Score:1)
It may not have been the "best practice", but it did keep my users safe, which is all I care about.
Re:what are the specific problems? (Score:2)
Re:what are the specific problems? (Score:1)
Re:what are the specific problems? (Score:2)
-Jar.
Re:what are the specific problems? (Score:1)
Re:what are the specific problems? (Score:1)
Re:what are the specific problems? (Score:2)
Generally, you work around the user's environment (Score:1, Interesting)
If you're resorting to using AJAX only ameliorate your DB load, you may wish to try more conser
Re:Generally, you work around the user's environme (Score:1)
Unless you can predict the future, you can't "optimize queries" to only get the data the user is going to want. Random crap advice of "optimize your queries" is worthless and unhelpful.
Getting data on demand is how the web is going to work. I'd suggest you stick to the standards and the users will complain to the anti-
Re:Generally, you work around the user's environme (Score:1)
Do you even know what he meant by "optimize queries"?
The actual data retrieved by a client is pretty much irrelevant. It mostly doesn't matter which data the user is going to want. It only matters how they get the data. No (sane) web site allows visitors to run custom SQL queries, so therefore there are a limited number of queries that are performed. Each of those can be examined to determine whether or not they are being done in the mo
Re:Generally, you work around the user's environme (Score:2)
What I said was:
Unless you can predict the future, you can't "optimize queries" to only get the data the user is going to want.
It's very often that a website doesn't present all the data to the user that the user could request. Fetching the data on demand can result in database improvements that "optimized queries" can't touch because you don't even have to get the data often times.
And yes, I do know what it means, I do it for a living.
Answered Own Question? (Score:4, Insightful)
Eh? (Score:2)
Oh, while we're at it, explain how sheep's bladders may be employed to prevent earthquakes.
Re:Eh? (Score:1)
Re:Eh? (Score:2)
Those AJAX-bashers don't seem to understand that web servers don't scale horizontally, whereas database servers can be scaled by throwing more cheap boxes in the data center. And we live in a strange world where delivering a single huge page is faster than s
Re:Eh? (Score:2)
Re:Eh? (Score:1)
It's easy to scale web servers by adding more of them, with a load-balancer (such as a Cisco CSS, and/or a software layer like mod_jk) to distribute requests appropriate.
It's hard to scale a database, especially one that gets updated, because distributed writable databases are hard to do, and even distributed read-only replicas get tricky, especially if they must be up to date.
In any web services application you really want to avoid hitting the database if you can, by using simple dat
Re:Eh? (Score:2)
Re:Eh? (Score:2)
Maybe the real question should
Re:Eh? (Score:2)
Does everyone really wear goatees in your dimension?
Re:Eh? (Score:2)
Funny/Informative, Flash (Score:2)
It is relatively difficult to add more database servers. It is relatively easy to add more webservers. Any caching structure you could possibly use in AJAX you could definitely use on your webserver - and many more, because you have power over those servers.
You MIGHT use AJAX to reduce the load on your webserver in some cases, but if it reduces load on your DB server you didn't have caching setup ri
Re:Eh? (Score:2)
database servers can be scaled by throwing more cheap boxes in the data center.
HAHAHAHAHAHAHA!
Sorry, it's just that when you sai... HAHAHAHHAHA!
Umm, yeah, what was I saying?. Oh yeah: databases don't scale horizontally, and Oracle clusters are a pain in the ass. You could always do some sort of caching to unload the db, but AJAX is good for improving percieved interactivity.
Re:Eh? (Score:5, Informative)
Simple. Let's take Slashdot moderation as an example. Last time I saw it, it included a drop-down for each comment, and the ability to submit your moderation for all comments. When the form is submitted, the user-agent transmits the moderation status for each comment to the server, and reloads the entire page. This entails not only wasting bandwidth (by transmitting all comment statuses instead of only those that have been altered), but also a high cost because even if you only moderate one comment, a page with potentially hundreds of comments has to be sent back to you.
A moderation system that uses Ajax to submit comments, on the other hand, sends only one status for only one comment, and doesn't have to reload the page with hundreds of comments, because all it needs is a simple success or failure flag in return. Thus, if you moderate five comments, you might make five requests, but those requests are tiny compared with the single massive request that the non-Ajax version needs to make.
In the more general case, it may very well be that some database queries simply don't need to be made in most cases, but do in a minority of cases upon certain user interactions. In these cases, without Ajax, you are stuck performing the queries preemptively for all users, instead of only in the minority of cases where it is needed.
Thinking "more HTTP queries == worse performance" is an incredibly superficial analysis and neglects many important factors.
Re:Eh? (Score:2)
Thank you. At the same time, background refreshes when the user isn't paying attention, such as GMail or the Yahoo Beta do, could generate many queries that the user will never notice but the DB has to endure. There needs to be a way to prioritize background activity over direct UI interactions, and/or optimize the server for these background refreshes. Random idea: You could have the server generate a parallel disposable mini-database of "things that have changed since the currently active sessions las
Re:Eh? (Score:3, Informative)
In GMail for instance, it would make sense for open sessions to not query the users mailbox each time the requestor wants a list of (new) messages, but to move to an approach where a new message being delivered to the mailbox notifies the session that there is a new message. I really see no reason that GMail should be querying for the list of messages more than onc
Re:Eh? (Score:2)
Disclaimer: I am not a database expert. :-)
This is why I mentioned the "session cache" idea. Once the server farm knows a session is active, any transactions that come in that modify the state the session might be interested in can go to a separate "things that happened since you last asked" database. That database can be really small, and discarded when convenient. The cost of discarding it is that you need to do a full query on the main database.
With this sort of approach, you can stick to a cl
Re:Eh? (Score:2)
Re:Simple. Let's take Slashdot moderation as... (Score:1)
I'm sure that all moderators will have been caught at least once by seeing a particular comment end up with an inappropriate score as a result. Conscientious moderators will probably then decide tha
Re:Simple. Let's take Slashdot moderation as... (Score:2)
2. The time when you want to reload the page isn't *after* you've moderated, it's before. I.e. refreshing the page after you moderate only helps you for the next moderation, not the current moderation. AJAX could offer you a button th
Re:Eh? (Score:2)
Re:Eh? (Score:2)
Re:Eh? (Score:2)
but also a high cost because even if you only moderate one comment, a page with potentially hundreds of comments has to be sent back to you.
Which shouldn't actually hit the database - maintain an lru cache of all stories with a size of around 50 and an expiry of about 1 minute. Each box that holds this cache loads a list of comments once per story per minute at most. run four or five instances of the cache and point the webservers at it - presto! no slammed database.
Re:Eh? (Score:2)
A shopping cart application where everything but the price and inventory levels are cached out to the web servers as static content. Then a small piece of javascript goes and pulls the inventory and the price and feeds them to the controls on the page.
Before AJAX, the entire page would be dynamically generated, meaning the database would have to supply the product description and all other content on the page. Now that information can reside in the database, but the app server first looks t
Re:Eh? (Score:2)
Many web-based applications already do something better; my employer owns at least one.
The basic technique is to create a derived database access class(es) that include simple caching logic. The whole app then uses that derived class for DB access.
When the cache-aware class(es) are used, the developer indicates whether or not cached data is desiered, and optionally what the specific timeout should be. When a call to this "caching DB class" is made, the SQL that would be sent to the database is instead fir
Re:Eh? (Score:2)
So the site tends to be fairly static by the time of the crush, but we need to serve as many pages as possible in a matter of 5-10 minutes. For us, static html with only a few of the pages making any db calls at all allowed us to handle the crush and scale amazingly well.
The diversity of
No way out (Score:1, Redundant)
Re:No way out (Score:1)
I'm somewhat arguing with this point, but also legitimately curious. There are really only a few very insignificant examples of Java applet based virus, all of which use outdated JVM. Your statements make it sound otherwise. Do you have proof of "widely exploited" holes in the Java sandbox?? I doubt it, but I'd appreciate being proven wrong otherwise.
For stand
Re:No way out (Score:1)
Re:No way out (Score:2)
I was referring to planting of trojans, viruses, etc to clients' pc through using legitimate commands and routines. Ie like in many porn sites. - 5 Popup windows open, they spawn another 10 popup window and redirect to another 5, and despite youre loaded with patches, zonealarm, karspersky anti vir, closed dcom, and so on, you get infected.
Re:No way out (Score:2)
HTTP Rewritten (Score:1)
Re:HTTP Rewritten (Score:1)
[B.v.L]
Don't ask customers to be vulnerable (Score:3, Insightful)
Re:Don't ask customers to be vulnerable (Score:1)
Re:Don't ask customers to be vulnerable (Score:2)
I'm not saying that telling a customer to uninstall or disable Norton is the right way, but there are worse things you could do.
You know... (Score:5, Insightful)
If you are designing programs that can be potentially used by many thousands of users, you can not afford to write programs that only cater for those who wish to play by *your* game. A good few of them will refuse and use another software.
NeoThermic
Re:You know... (Score:2)
Haven't run across this yet (Score:3, Interesting)
I'm always seeing articles about AJAX security issues, and they always puzzle me. AJAX is just another way of sending http requests to the server from the browser. If you're able to write secure server side scripts already, then you should have no trouble writing ajax responders. How do these security aps decide that these particular http requests from the browser are "bad"?
Re:Haven't run across this yet (Score:3, Informative)
IE only supports AJAX through activex (this is changing in version 7 but that won't be widely deployed for a while).
Re:Haven't run across this yet (Score:3, Insightful)
AJAX is just another way of sending http requests to the server from the browser.
Unfortunately this alternate method makes use of a couple of potentially harmful mechanisms: client side scripting and (in IE) ActiveX. Additionally, it is not uncommon to see AJAX requests and responders bend or break the rules of HTTP also which can cause packet-inspecting firewalls some grief. Sure, you can easily code up a little shopping site where you click 'show price' to load the price via AJAX, but
Re:Haven't run across this yet (Score:3, Funny)
Re:Haven't run across this yet (Score:2)
Additionally, it is not uncommon to see AJAX requests and responders bend or break the rules of HTTP also which can cause packet-inspecting firewalls some grief.
I can see XMLHttprequest breaking HTML data(as in using XML and parsed/rendered through javascript as opposed to preformatted HTML), but HTTP? How?
The same headers are sent as though you're doing an regular GET by typing a URL in the browser, therefore sessions,cookies,authentication/authorization, etc. remains the same.
I
Re:Haven't run across this yet (Score:2)
That all depends on how the application is written, doesn't it? I can hook into Apache and make it violate any part of HTTP that I want to with little effort. As hard as it might be to believe that programmers sometimes take shortcuts, when coding these thin AJAX responders, some authors do actually neglect to send proper headers or any headers at all! Shockingly, some even neglect to send XML entirely!
The XMLHt
Re:Haven't run across this yet (Score:2)
Not really. The web app developer can only assume that AJAX HTTP requests are following the rules, and as such security on the server side is important which it should be regardless of issued the http request in the first place.
Shockingly, some even neglect to send XML entirely!
XML isn't really a requirment, you could use JSON, or even preformatted HTML if you'd like, but you'd lose the built in DOM parser that most javascript interpret
Graceful degradation usually fixes this (Score:5, Insightful)
The kinds of things security software disables should be non-essential anyway. For instance, ActiveX disabled in Internet Explorer will stop you from using XMLHttpRequest, but that throws an error that you can catch, and your fallback behaviour for non-JavaScript users can be used.
Whenever I see somebody complaining about software interference with web applications, it's virtually always because they've cut corners and neglected to code appropriate fallback behaviour when browsers don't support a particular feature. Unfortunately, it's impossible to give you specific advice because you've unhelpfully neglected to mention anything specific at all about the problems you are having.
As somebody else mentioned, if your goal is to reduce load on your databases, then this can be achieved through other means. For instance, caching (both page fragments, and HTTP caching) can significantly reduce load if most of your transactions are reads that apply to multiple users.
Re:Graceful degradation usually fixes this (Score:1)
If it's Norton Internet Security (Score:3, Insightful)
Norton is the only thing I've ever seen decide that outbound DNS queries were *all* suspicious and should be silently blocked.
Re:Just stop using Ajax (Score:5, Insightful)
This indicates a complete lack of understanding of why developers are turning to AJAX. The point is not that they want to foist their server load problems on the client. The point is that they are trying to give their users a more responsive experience. Reducing the burden on the server is one effective way to do this.
When we were all on the far end of 14K4 modems, a few seconds of latency at the server went more or less unnoticed. Now that most of us have broadband, people complain if the information does not at least appear to arrive instantly. AJAX, when used properly (and I concede that it is not always used properly) is about having web sites that only move the change information back and forth, without moving all of every page when little has changed. This reduces the traffic between the client and server in both directions and can improve responsiveness as a result. Google Maps [google.com] is a classic example of this; by moving the map tiles around locally in JavaScript and only asking the server for the missing tiles as they are needed makes for a much more interactive experience. The fact that the map tiles are all static content is a bonus, but it's not the end goal.
I don't get it... (Score:3, Insightful)
And why do you think that "implementing AJAX" would magically reduce the load on database servers? The load on database server is purely dependant on the data you are storing and the queries you're doing in order to access it. Sure, you could be able to avoid certain queries hitting the database by firing the queries only after the user does something on the web interface. But on the other hand, this is not magic bullet for sure. If you don't know what you're trying, you might find yourself in a situation where your web and database servers are hammered with say 10x increase in requests/queries.
Re:I don't get it... (Score:3, Insightful)
In terms of AJAX reducing DB queries, it works as follows. In traditional web apps, you often have data that gets reloaded repeatedly. For example, a list of products. The user clicks on a
Re:I don't get it... (Score:2)
So even with the best possible server-side caching scenario set up, using ajax and related techniques to implement client-side caching can be
if its ActiveX that's a no, fall back on IFrame? (Score:2)
Let Us Think About This (Score:1)
Are you retrieving cross-site content? (Score:1)
When you say you are using Ajax to lighten your DB load, it implies might be using Ajax to request content from other servers than the source server your content comes from (cross-site scripting).
If that is the case, you can certainly expect your clients' antivirus systems to (rightfully) give you a headache.
You simply should not be doing that, and until something like http://json.org/JSONRequest [json.org]JSONRequest (proposed fo
Stick with lightweight dynamic html... (Score:2)
I want to know... (Score:2)
Enlighten us.
XForms route (Score:2)
We write our dynamic markup in XHTML+XForms, following W3C standards (including nascent accessibility standards [w3.org]), and then use Chiba server-side in Tomcat to translate it into HTML4 and JavaS
Bad link (Score:2)
use the AJAX! (Score:2)