Securing Ajax.php script

funnymoney · 08-25-2009, 11:16 AM

I started using some simple Ajax on my website, and first thing that i saw is that you can see ajax.php file that was called by ajax function. I'm trying to secure it so if someone tries to access it directly he get's redirected to home page..

I saw that you can set a the named request header from ajax and use it on requested page. Is that enough

PHP Code:


			
function ajaxFunction()

{



var xmlhttp;

if (window.XMLHttpRequest)

  {

  // code for IE7+, Firefox, Chrome, Opera, Safari

  xmlhttp=new XMLHttpRequest();

  }

else if (window.ActiveXObject)

  {

  // code for IE6, IE5

  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");

  }

else

  {

  alert("Your browser does not support XMLHTTP!");

  }



    xmlhttp.onreadystatechange=function()

    {

    if(xmlhttp.readyState==4)

      {

        

            document.getElementById("ajaxtest").innerHTML = xmlhttp.responseText;

        

      }

    }

    xmlhttp.open("GET","ajax/msg.php",true);

    xmlhttp.setRequestHeader("X_SECURE", "secure");

    xmlhttp.send(null);



}

msg.php

PHP Code:


			
<?php

if (empty($_SERVER['HTTP_X_SECURE']) && $_SERVER['HTTP_X_SECURE'] != "secure") {

header("Location: ../");

}

else {

print "Running ajax";

}

?>

But, what if someone sends that header with curl or something similar, is it possible to "break" this script, and how to make it more secure?

ckeyrouz · 08-25-2009, 04:46 PM

Authentication:
username and password

Check in the session if the user is authenticated or not and then if he is not authenticated redirect him to home page.

funnymoney · 08-25-2009, 09:16 PM

Quote:

Originally Posted by ckeyrouz

Authentication:
username and password.

well, any concrete ideas?

ohgod · 08-26-2009, 03:18 PM

you can also check the referring url and make sure it's what you think it should be.

but, with as simple of a tool as "tamper data" for firefox a lot of information can be faked. make sure to really sanitize the input more than anything.

one thing i've heard of people doing is as php is building your form have it set a session var to a randomly generated string and make the hash of that session var a hidden input. when you get to the processing page it would hash that session var again and see if they match.

even at that plain old session handling like ckeyrouz said is really the first step.

A1ien51 · 08-27-2009, 07:41 PM

How would you handle securing any other page? Username and password with session. You are not going to be able to find a URL from anyone.

Eric