Securing an ajax page

Forum Moderators: coopster

Message Too Old, No Replies

Securing an ajax page

Tommybs

6:46 pm on Jun 13, 2010 (gmt 0)

Hi,

Can't get my head around this so thought I'd post here.

Imagine you have a page with various pieces of functionality. To spread this functionality out you're using include(page.php); statements and separating the different bits of functionality out. Now one of these merely displays a list, but on clicking a link in the parent page, you want to load that page again via ajax, but you don't want people to access (inc_page.php) directly? How can I do this? I can't store the page above root as then the js can't call it. I can't use define as with an ajax call. I thought about sending a variable, but then anyone could just look at the js and add the variable themselves.

What's the best way to go about this?

Maybe setting a session = to the variable and checking that the session exists and equals the variable sent along? But then anyone can easily view it once they have the session.

This is bugging me. The inc_page needs to be like a control but not accessed directly.

Thanks

explorador

5:04 pm on Jun 14, 2010 (gmt 0)

want to load that page again via ajax, but you don't want people to access (inc_page.php) directly

Add a referre checkup to your php. IF contains your URL then its ok... if not then print "not allowed". This way the file could be called by your php files and scripts from inside your server but not directly (empty referrer).

Your file is being called as a include, this works like if it was a text file I think, but then the code is executed on the whole file as one, there your referrer checkup still works, and also if it is called via ajax because the referrer sees who called and still is inside your server (url).

so, get the referrer
check if the referrer contains the url (not if it's equal...)
done

good luck

Demaestro

5:20 pm on Jun 14, 2010 (gmt 0)

Cookie? Both JS and PHP can read them.

If Cookie { give this content }

Else {give this content instead}

TheMadScientist

5:48 pm on Jun 14, 2010 (gmt 0)

Cookie? Both JS and PHP can read them.

Not if you use secure cookies...
Cookies are not accessible by JS if you set them as secure.

Since it's opening a new page and cookies are sent with requests, even if they are secure, I would think about having the AJAX call a PHP page that checks for the cookie, and if the cookie is present runs the script...

This could be done by including a script above the root only if the cookie is present, or checking for the cookie and exiting in the script itself if it's not present. The cookie should be sent with the request to the new page, so you should be able to use PHP to check for it, and then you don't have to worry about whether JS has access to it, in fact you could be able to add some security this way.

Demaestro

6:38 pm on Jun 14, 2010 (gmt 0)

Sorry, I totally I miswrote that, you are right Mad.

I meant that the php method that is serving the XML for the Ajax requests can check a cookie and serve different content based on that.