0

We have a webservice that is mainly intended to be called from javascript, via jquery's $.ajax(). When we call methods from javascript, we set a security token in a request header. If it's not there, or if it doesn't validate, we return an unauthorized error.

And that's all working fine.

But now we're faced with returning image files. So instead of having javascript call $.ajax(), we're embedding an image tag in the DOM:

<img src='http://mywebservice/imagescontroller/getAnImage?imageid=123'/>

And when we do that, we don't have our security token in the request header. I can think of two "easy" fixes. 1., we simply allow anonymous access to our image URLs, or 2., we pass the security token as a URL parameter.

The first choice is, of course, not a good idea. The second is straightforward enough. But before I settle on this approach, I was wondering if there was some easy way of setting request headers on these sorts of requests, that I was missing.

Ideas?

Jeff Dege
  • 11,190
  • 22
  • 96
  • 165

1 Answers1

1

Easy fix: Use session cookies. That is a cookie without a expiry date. It will automatically transmit with each request and go away as soon as the users closes the browser, or you delete the cookie via javascript.

You simply store your token there and get it delivered for free to your server code.

Have some demo stuff here: How do I set/unset cookie with jQuery?

If you run the services on another domain, you will need to use CORS to make the AJAX running - otherwise your AJAX will run into the Same Origin Policy. With CORS you can even make the cookies work.

See here: CORS request - why are the cookies not sent?

If you do not want to use CORS, you could also incorporate the service domain into your own via reverse proxying. This will solve the SOP problem as well as make the use of cookies possible. Setting up a reverse proxy within Apache is pretty straight forward.

Community
  • 1
  • 1
Kai Mattern
  • 3,090
  • 2
  • 34
  • 37
  • Cookies pass back and forth between the browser and the server serving the page. Our web services are on a separate site. – Jeff Dege Sep 03 '14 at 22:38
  • You are aware that you will then run into the Same Origin Policy of AJAX? That is, unless you use CORS to mend that. And if you have to use CORS, you can get the cookies as well: http://stackoverflow.com/questions/8863571/cors-request-why-are-the-cookies-not-sent – Kai Mattern Sep 04 '14 at 06:17
  • Or you could just do it the old fashioned way and hide the other domain via reverse proxy under a certain path of your main domain. Say 'domain.com/services/*' is reverse proxied to 'otherdomain.com/bla'. This way neither SOP will occur nor are there any problems with Cookies. – Kai Mattern Sep 04 '14 at 06:20