CODEWITHSUNDEEP
phpjavascriptajax
Atlas
Atlas

Reputation: 1363

Website security question with PHP? (Probably applies to ASP/Rails/etc.. too)

Say, I have "index.htm" and "routines.php".

"index.htm" will call eventually call "routines.php" using JS (AJAX).

So, my question is, how can "routines.php" verify that the request came from the same local server and not outside? Is there a global variable I can check at PHP level or HTTP level?

Edit 1: Using AJAX

Upvotes: 0

Views: 188

Answers (6)

Ozzy
Ozzy

Reputation: 10643

you could use a session key:

index.htm

<?php

$_SESSION['safe_key'] = true;

?>
javascript code here

routines.php

<?php
if (!isset($_SESSION['safe_key'])) {
   die('from outside');
}

function getdata() { ... }
?>

Basically what happens is when index.htm is called a session safe key is created. Sessions are serverside only. In routines.php if the safe key does not exist, the code was not called from index.htm. If it does exist, run code.

Upvotes: 1

user9755
user9755

Reputation: 163

As others pointed out, it would be pretty difficult given your original specification. However, if you can change the index.htm to be index.php and have it output the same content as index.htm, you can also put in additional tokens for session management (e.g. Cookies - yes I know they are easy to spoof too :) and reject the call to getdata() if the tokens don't match.

Upvotes: 0

Ionuț G. Stan
Ionuț G. Stan

Reputation: 179159

You may forget about the Ajax part as it's not really part of the problem. You should read about Cross Site Request Forgeries (CSRF) and CSRF tokens. Some links:

Upvotes: 3

Arjan
Arjan

Reputation: 23559

To answer your question with another question: how would you invoke getdata() using a browser?

(So: no need to worry.)

Upvotes: 2

backslash17
backslash17

Reputation: 5390

Use the HTTP_REFERER server variable:

echo $_SERVER['HTTP_REFERER']

With this you can know if the request comes from the server you want.

Upvotes: -2

Blixt
Blixt

Reputation: 50179

If the call is made in JavaScript (i.e., on the client), you really can't do anything to definitely prevent someone from simulating a request from index.htm, even if you check the Referer (sic) header.

If the request is made on the server side, you could use some kind of key.

You can of course generate a key on the client side too, but this security measure can be imitated by anyone to simulate a request from index.htm.

Upvotes: 1

Related Questions