Skip to main content
Home Forums Silverlight Programming Programming with .NET - General The most secure way to POST data to a website
14 replies. Latest Post by adefwebserver on July 21, 2008.
(1)
omeganet05
Member
25 points
14 Posts
07-18-2008 9:44 AM |
I have a Silverlight 2 beta 2 app which communicates with a PHP site, which saves the data in MySQL. If a malicious user view the headers sent by my app, he can modify them to insert malicious data in my DB. So I need to protect the commucination between my app and my site. What is the most secure approach?
justncase80
349 points
144 Posts
07-18-2008 9:48 AM |
The most obvious answer is to just use SSL. Your webservice would only communicate from secure requests, your service urls would probably change to "https". To do this you just need to have an SSL certificate and set it up for your site on your server. This is basically just a server configuration issue then a little bit of code to ensure that incoming service requests are done through https.
I'm not really sure how you would do this in PHP or apache though.
07-18-2008 10:18 AM |
How can I use SSL with Silverlight? I can configure my web server to use SSL, but how to make requests from my app? Can you give me a example code (even with web services)?
sladapter
All-Star
17445 points
3,173 Posts
07-18-2008 10:27 AM |
http://silverlight.net/forums/p/16672/55418.aspx#55418
07-18-2008 10:32 AM |
Basically you would setup a Service Reference to your webservice, only instead of using the URL:
http://localhost/MyService.svc?WSDL
You would use:
https://localhost/MyService.svc?WSDL
It should be that simple. Of course replace everything after https with the URL to your WSDL for your service.
07-18-2008 11:38 AM |
It looks very easy with WebServices, but my hosting does not provide .NET content. So I have to think of a workarround with PHP. Does anybody have done something like that with PHP?
07-18-2008 12:35 PM |
That's ok, in this context a webservice is just a SOAP web service. A WSDL is the service description and this is a standard protocol. I'm not PHP expert but I"m pretty sure you can find some libraries to create SOAP webservices.
For example: http://devzone.zend.com/node/view/id/689
Anyway, you create your SOAP webservice in PHP, or Java or .NET or whatever then in your Silverlight application you can "Add a service reference" and point it to the WSDL url. From there it will know how to generate classes for you that can interact with your web service.
I believe there are also ways to interact with REST webservices (which are very common in PHP) but I'm not sure if that is implemented in Silverlight yet. It might be worth looking into at least.
07-20-2008 4:55 AM |
Thanks! I created my PHP WebService. Everything is OK. Now I have to secure it. I want only my Silverlight app to be able to send data to this WebService. So I need a certificate. I have to include my private key in my Silverlight app and put my public key on the server. But is it secure when I include my private key? Can't it be found?
robhouwe...
Contributor
3184 points
548 Posts
07-20-2008 4:59 AM |
To secure it, all you have to do is call the webservice using https. Since Silverlight runs in a sandbox in the browser, the browser will handle the https for you. This is not something you need to create yourself.
07-20-2008 6:04 AM |
I read about this. But I want to ensure that my WebService will be called only from my Silverlight app. How can I achieve this? Don't I need to use my private key to crypt the data so the server can use my public key to decrypt it?
07-20-2008 8:24 AM |
There is no way to be 100% certain calls are made from your silverlight app. Using a key won't help either because the code can easily be read using tools like reflector. When you want to display such sensitive info using webservices it's probably best to let the user login first before they can access the information.
However, this is not really a Silverlight issue, but a common question when it comes to webservices.
Try this article for more info on securing webservices:http://msdn.microsoft.com/en-us/library/aa302428.aspx
adefwebs...
450 points
128 Posts
07-20-2008 5:44 PM |
I outline a method here:
Implementing "Super Tight Security"
Basically you can store the IP address when the Silverlight App is launched and then only accept requests from that IP address. That combined with a random password should make hacking your web service very difficult.
07-21-2008 1:44 AM |
Hi Michael,
In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.
I agree it does make it more difficult, but it's not totally secure.
Maybe I misunderstood, so please correct me if I'm wrong.
Yi-Lun L...
25052 points
2,747 Posts
07-21-2008 5:06 AM |
Hello, there's no way to tell if the request comes from your Silverlight application or another client. This is similar to in a classic web application, there's no way to tell if the user is using IE/Firefox or a hack browser that simulates IE/Firefox's request. But there're still a lot of solutions to enhance your service's security. I don't know PHP. But generally speaking, you should enable session on your web services, so only authenticated users can access the service. In WCF, you can use ASP.NET session, I think there's something similar on PHP. When Silverlight makes a request to the service, it will automatically send the session information, if any. It's very difficult to hack session, since each session will have a different id. Of course, you still need your users to protect their passwords. Even in a classic web application, if the hacker gets the password, he can still do anything that user can, right?
07-21-2008 8:21 AM |
robhouweling: In the method you outlined, can you explain how you determine the call is made from the Silverlight application instead of a normal aspx page?If a hacker calls the webservice using an aspx page using the password he got, from first opening the page the normal way, he can use your webservice.
That's why I put in the IPAddress check. The hacker would have to be on your computer or using some sort of IP spoofing AND they have to do this before you logged in again and caused your temporary password to change.
You should never pass the "real" user password from the Silverlight app to the web service.
The most secure way to POST data to a website