Reputation: 1676
Protecting php page from being opened in browser only
I am working on a live weather data page. Our weather module outputs the data in CSV and stores it on my webserver. I then use a PHP script to translate the CSV into an array and then i encode it in JSON and output it so that my jQuery Ajax script can call it every so often to get the latest data and update the page. This is working great so far.
My question is, how can i prevent the URL used to retrieve the JSON (the URL of the aforementioned PHP script) to be opened and viewed in a browser? I tried adjusting the permissions, but to no success.
Thanks in advance to any who are willing to help.
Upvotes: 1
Views: 165
Answers (3)
Reputation: 6844
There's no real way of doing that, since the Ajax call also comes from the browser. There's no real difference between a proper browser call and an Ajax call. A GET call is a GET call.
EDIT
As per @Adeneo's suggestion, implementing a pseudo-security, through some kind of key, would be a good way of making it harder for people to view the page, even though there's no way of literally blocking the call.
Also, adding a header to your Ajax call and verifying the presence of that header in your backend script makes it a bit harder to spoof.
Another idea would be that, if that service would be called only once per page view, you could setup a key in your javascript, provided by your server, to append to your ajax call. When the server gets called, the key provided becomes invalid after use, preventing someone from calling the service with the same key twice.
Upvotes: 3
Reputation: 27563
Short answer: you cannot.
Long answer: you could implement a simple Browser Sniffing. Or search for far more advanced methods.
$browser = get_browser(null, true);
if ($browser[parent] == "whatever-identifies-clients-that-have-access") {
//Code to output jSon here.
}
else {
header('HTTP/1.1 403 Forbidden');
}
But note that this is not security. At the very most, it throws up a barrier; but preventing is impossible.
Edit This assumes the client is not a browser, I wrongly assumed a (mobile) client of some sorts was accessing the JSON. When it is a browser, you cannot deny access. At all. AJAX comes from that browser too.
Upvotes: 0
Reputation: 13558
There is no way of (reliably) identifying a browser as anything that is not some form of "Authentication-Token" can be faked. The server relies on the client to be honest.
You can detect if a request is an ajax request tho. Here is a link to one way of doing it:
http://davidwalsh.name/detect-ajax
This is how he does it:
/* AJAX check */
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
/* special ajax here */
die($content);
}
You will want to reverse the statements in the if since it die()s when the request IS ajax.
There are other ways of detecting ajax, none of which are 100% secure, including you setting a GET variable that helps you identify an ajax call (but that get variable can also be sent via the browser via the address line so well... you get the picture)
Upvotes: 1
Related Questions
- Prevent Direct access to PHP file using AJAX
- Allow access to PHP file only through ajax on local server
- How to not let user access the php file directly from browser, which used by AJAX?
- PHP - Only allow access via AJAX
- Prevent access to a php script that uses AJAX
- How to Restrict User to open a existing php page?
- how to protect ajaxRequest.open php script
- Disallowing PHP file to be accessed directly
- How to prevent a PHP page from being accessed directly?
- how to protect php page used by jquery ajax call