Allow only certain client(s) for AJAX requests

I have an AJAX intensive web application where the requests are unsecured, meaning there is no client identification. I don't check whether its my application that's making the request on the server.

Recently i found out that some one has used my ajax request urls to create an iPhone app that mimics my web app. I added in a filter to discard requests from iPhone by looking in the user agent string. This is definitely a temporary solution.

Instead of blocking certain user agents, how can i make sure that开发者_JAVA技巧 the request originated from my application? If i add more services like an FB app, Google Gadget etc i want these to make requests as well.

The question is how can i make sure that the request originates from my app(s) and discard everything else.

You can never be sure if it is your application or not, simply because everything that your application sends to the server can also be sent by any other application. But you can make your service more difficult to use by not your applications. You can have some key sent as a parameter or part of URL that would change frequently, and would have to be included in your own scripts. It would make it quite trivial to find and to use by some other application but if that was something that changes every hour then at least it would be impossible to write a simple AJAX request that would always work, without getting your script, parsing it and finding the key, in which case no one would at least pretend to believe that your service is publicly available to everyone. This is pretty much all you can do, make it more difficult and annoying to use. You will never be able to make it impossible, but sufficiently difficult may be good enough.

Heck, I'd go a completely different route here.

Tell the creator of the iPhone app that you'll be happy to let them continue using your services for a fee. Pick something like $.50 or so per install. That way they could sell the app in the store for $0.99; let Apple have their 30% cut and you get a bit on the deal as well.

If someone has gone to the trouble of building the app you may as well capitalize on it!

You can use a special token that you send down with your response, that you would look for in the AJAX call. That would ensure that the caller had to first load your web page. However, that still can't guarantee that the user isn't coming from the iPhone app. The app could simply process the same information and act as a proxy, and there's no way to tell that based on HTTP Requests.

Does your site have any terms of use defined? If it does, the first thing you should do is contact Apple and tell them that the app is in violation of your terms of use, and you want the app pulled. If it doesn't, you should write up some terms of use, and contact the app's author notifying them of the change, and requesting they take the app down, or come to some other terms. If all that fails, your best bet is to just make it more difficult to use the AJAX calls directly. Simple things like obfuscating and minimizing the JS (and renaming your serverside functions to not be so well named) will raise the bar on scraping your data.

This will be hard since at some point your server and app need to share a secret. That secret will be distributed with the app and will be available to reverse engineers. For now you can add a CRSF token (see this wiki) to each form. Distributing an app and then identifying it as positively yours is an unsolved problem AFAIK.

I don't know the nature of the request but if the user needs to be authenticated then you'll need to do that on the server every time. This won't prevent another developer from calling your API though as Zed points out. I agree that you can make it more difficult so it's basically an arms race depending on how important it is to prevent this third-party app from working.