Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder funnymoney's Avatar
    Join Date
    Aug 2007
    Posts
    364
    Thanks
    17
    Thanked 24 Times in 24 Posts

    Securing Ajax.php script

    I started using some simple Ajax on my website, and first thing that i saw is that you can see ajax.php file that was called by ajax function. I'm trying to secure it so if someone tries to access it directly he get's redirected to home page..

    I saw that you can set a the named request header from ajax and use it on requested page. Is that enough

    PHP Code:
    function ajaxFunction()
    {

    var 
    xmlhttp;
    if (
    window.XMLHttpRequest)
      {
      
    // code for IE7+, Firefox, Chrome, Opera, Safari
      
    xmlhttp=new XMLHttpRequest();
      }
    else if (
    window.ActiveXObject)
      {
      
    // code for IE6, IE5
      
    xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    else
      {
      
    alert("Your browser does not support XMLHTTP!");
      }

        
    xmlhttp.onreadystatechange=function()
        {
        if(
    xmlhttp.readyState==4)
          {
            
                
    document.getElementById("ajaxtest").innerHTML xmlhttp.responseText;
            
          }
        }
        
    xmlhttp.open("GET","ajax/msg.php",true);
        
    xmlhttp.setRequestHeader("X_SECURE""secure");
        
    xmlhttp.send(null);


    msg.php

    PHP Code:
    <?php
    if (empty($_SERVER['HTTP_X_SECURE']) && $_SERVER['HTTP_X_SECURE'] != "secure") {
    header("Location: ../");
    }
    else {
    print 
    "Running ajax";
    }
    ?>
    But, what if someone sends that header with curl or something similar, is it possible to "break" this script, and how to make it more secure?

  • #2
    Senior Coder ckeyrouz's Avatar
    Join Date
    Jun 2009
    Location
    Montreal, Canada
    Posts
    1,044
    Thanks
    5
    Thanked 179 Times in 179 Posts
    Authentication:
    username and password

    Check in the session if the user is authenticated or not and then if he is not authenticated redirect him to home page.

  • #3
    Regular Coder funnymoney's Avatar
    Join Date
    Aug 2007
    Posts
    364
    Thanks
    17
    Thanked 24 Times in 24 Posts
    Quote Originally Posted by ckeyrouz View Post
    Authentication:
    username and password.
    well, any concrete ideas?

  • #4
    Regular Coder ohgod's Avatar
    Join Date
    Jun 2008
    Location
    Ohio
    Posts
    579
    Thanks
    6
    Thanked 69 Times in 69 Posts
    you can also check the referring url and make sure it's what you think it should be.

    but, with as simple of a tool as "tamper data" for firefox a lot of information can be faked. make sure to really sanitize the input more than anything.

    one thing i've heard of people doing is as php is building your form have it set a session var to a randomly generated string and make the hash of that session var a hidden input. when you get to the processing page it would hash that session var again and see if they match.

    even at that plain old session handling like ckeyrouz said is really the first step.

  • #5
    Senior Coder A1ien51's Avatar
    Join Date
    Jun 2002
    Location
    Between DC and Baltimore In a Cave
    Posts
    2,717
    Thanks
    1
    Thanked 94 Times in 88 Posts
    How would you handle securing any other page? Username and password with session. You are not going to be able to find a URL from anyone.

    Eric
    Tech Author [Ajax In Action, JavaScript: Visual Blueprint]


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •