help with PHP session_destroy();

Question

I have several forms brought in via jQuery .ajax funciton. In the parent page I start a session like this

<php
 session_start();
 $_SESSION['authenticated'] = 'yes';
?>

then in the form that is loaded have a check like this:

<?php
  session_start();
  if($_SESSION['authenticated'] != 'yes') {
  header("Location: http://www.google.com");
 }
?>

I know its not the best, but it's an attempt to stop people form accessing the forms directly. The problem is that if you go to the parent page, then you can enter the form URL and get there because the session was started when you hit the parent page. How can I destroy the session or remedy this issue?

Answer 1

Effectively, you can't.

To make it more complicated, don't request the form URLs directly. Try to request authorize tokens per request of the main page:

• If you generate the main page and you know the form to be requested beforehand, then generate tokens e.g. using md5(time().rnd()), associate each with one you your forms and save the association in your session

• Then, your JS code won't request the form URLs, but a factory script using a token injected into the JS code

• If you find the token in your saved association in your session, emit the form and delete the token in your session.

This way, each form can only be requested once by one preceding call of the main page.

Note, that this isn't fully safe too: If a user requests the URL of the main page using wget, he can request each form once.

Answer 2

You can check $_SERVER['HTTP_REFERER'] in your form .php code to see where the request is coming from. An AJAX call will set the HTTP_REFERER to the page it is called from.

if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) === false) {
   die();
}

It's not a bulletproof solution. Any page that is publicly accessible can be retrieved by an automated script.