0

Imagine situation, I've ajax.php file that displays specific information based on ajax request.

How can I block all requests going to ajax.php file except coming via ajax?

I'm looking for something like this in php:

if ($ajax) {
 //Do soemthing
}

Will this guarantee that malicious user won't be able to see what ajax.php has to display? Since ajax has same origin policy, request must originate from the same domain, so in theory nobody will be able to call my ajax.php?

  • Yes, same origin policy guarantee that nobody outside your domain will be able to call ajax.php . There is no need to do such checks like if(ajax) in your php script. – Cristian Bitoi Oct 12 '13 at 15:40
  • See here: http://stackoverflow.com/questions/1756591/prevent-direct-access-to-file-called-by-ajax-function You can use headers to distinguish the origin of the request. They can be forged, though. – Terry Oct 12 '13 at 15:40
  • One way - you can send token along your ajax that will make your request is secure. e.g generate a api key for logged in user, and save you end, then send when ever need to get any information – Suleman Ahmad Oct 12 '13 at 15:40
  • It's impossible to prevent malicious users from making requests to your server. Just enforce some sane limits on number of requests per second from the same address. Even then there are ways around it, but it's more difficult. – Brad Oct 12 '13 at 15:41
  • @Suleman Can you explain token thing better? Since token will be generated in js, I imagine anyone can reverse engineer it. Making tokens useless in this case? –  Oct 12 '13 at 15:43
  • @SandroDzneladze yeah sure, and with token, is not a easy job to generate a 16 bit or 24 bit token before one month :) – Suleman Ahmad Oct 12 '13 at 15:44
  • 1
    What he means is that you would generate a token via a JS call (say, if the user logs in) and then use that token to authenticate calls. – Machavity Oct 12 '13 at 15:47

3 Answers3

2

There is no way to reliably tell whether a request is an Ajax request or not, ever. Any client side information (like the referer) can be spoofed and you can not trust any of it.

You secure Ajax requests like any other request - usually through a session-based login system that checks whether the requesting client is logged in, and what they are allowed to see.

Pekka
  • 418,526
  • 129
  • 929
  • 1,058
1

Other answers already mentioned it: there's no reliable way to determine if a script was called via an AJAX request. But I use this code to detect AJAX request:

define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest');

Keep in mind that it can be spoofed, so don't depend on it.

Stan
  • 472
  • 4
  • 14
0

What am doing to secure our ajax requests - Whenever any user logins at that time generate a token for the user e.g get the micro time and then convert into some hash, then attach this token with that user.

Suleman Ahmad
  • 1,855
  • 3
  • 26
  • 43
  • But why? Is a session-based login check not enough? – Pekka Oct 12 '13 at 15:49
  • 1
    @Pekka웃: yeah, with one way you can check with session, but if you want parallel call then session might cause deadlock, then send token with your call solve the broblem. – Suleman Ahmad Oct 12 '13 at 15:53