Protecting PHP scripts called via AJAX from evil
in [General]
|
From: Marc Guay on 6 Aug 2010 09:41 Hi folks, I'm looking for a straightforward way to protect PHP files which are called via AJAX from being called from outside my application. Currently, someone could forseeably open the console and watch the javascript post variables to a public file (actions/delete_thing.php) and then use this knowledge to trash the place. I found this thread at stackoverflow which seems to cover the issue I'm looking at, but it's pretty intense and I figure there's an easier way but I'm not sure how. http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website It seems unlikely that this is the method everyone uses, but maybe not. Advice is nice. Marc
From: Ashley Sheridan on 6 Aug 2010 09:50 On Fri, 2010-08-06 at 09:41 -0400, Marc Guay wrote: > Hi folks, > > I'm looking for a straightforward way to protect PHP files which are > called via AJAX from being called from outside my application. > Currently, someone could forseeably open the console and watch the > javascript post variables to a public file (actions/delete_thing.php) > and then use this knowledge to trash the place. I found this thread > at stackoverflow which seems to cover the issue I'm looking at, but > it's pretty intense and I figure there's an easier way but I'm not > sure how. > > http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website > > It seems unlikely that this is the method everyone uses, but maybe > not. Advice is nice. > Marc > I think the only sensible way to solve this is to pass a unique authentication key with each request. Usually this is done with the session id, which is checked on the server-side each time an action is triggered. Sure, someone could look at the session id and copy it to a script, but sessions usually expire after a certain amount of time if they don't remain active. Even if someone did start up a script with a valid session id and make repeated requests to your system, they should only have the session id if they are a valid user of your system anyway, so whether they do it via a browser or not shouldn't make much of a difference. If you're worried about someone logging in and using an automated process to abuse your system, you could add a logging method to your PHP code that tracks every action a user makes. This way, you can then have checks in your code to look for suspicious activity and destroy a session. Suspicious activity could be anything from lots of invalid requests to a continuous stream of requests and requests made at too regular an interval. Thanks, Ash http://www.ashleysheridan.co.uk
From: Joshua Kehn on 6 Aug 2010 10:02 On Aug 6, 2010, at 9:41 AM, Marc Guay wrote: > Hi folks, > > I'm looking for a straightforward way to protect PHP files which are > called via AJAX from being called from outside my application. > Currently, someone could forseeably open the console and watch the > javascript post variables to a public file (actions/delete_thing.php) > and then use this knowledge to trash the place. I found this thread > at stackoverflow which seems to cover the issue I'm looking at, but > it's pretty intense and I figure there's an easier way but I'm not > sure how. > > http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website > > It seems unlikely that this is the method everyone uses, but maybe > not. Advice is nice. > Marc > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Marc- The best way (and what I currently use) is to add a nonce style value to the form with a random name and then also add that to the session. $nonce = sha1(microtime(true)); $name = sha1(rand(0,10)); $_SESSION['nonce'] = array($name => $nonce); ?><input type="hidden" value="<?php echo $nonce; ?>" name="<?php echo $name; ?>" /><?php Then in the processing code check the nonce value to ensure (a) it exists, and (b) it matches the current session. You can also log all events in a table, filtering out user who make too many requests per minute / second / etc, depending on what you are using the AJAX bit for. Thanks, -Josh
From: tedd on 6 Aug 2010 10:27 At 9:41 AM -0400 8/6/10, Marc Guay wrote: >Hi folks, > >I'm looking for a straightforward way to protect PHP files which are >called via AJAX from being called from outside my application. >Currently, someone could forseeably open the console and watch the >javascript post variables to a public file (actions/delete_thing.php) >and then use this knowledge to trash the place. I found this thread >at stackoverflow which seems to cover the issue I'm looking at, but >it's pretty intense and I figure there's an easier way but I'm not >sure how. > >http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website > >It seems unlikely that this is the method everyone uses, but maybe >not. Advice is nice. >Marc Marc: The logic should go like this. Your initial PHP script [1] first generates a form that employs an AJAX script to trigger the slave PHP script [2], right? If so, then have script [1] generate a unique token and place it in a SESSION, such as: $_SESSION['token'] = $token. Then have the PHP generated HTML form include a hidden input statement, such as: <input type="hidden" name="token" value="<?php echo($token);?>" > Note, the "hidden" isn't providing any security -- it simply means that the value isn't printed to the browser window. Then have the slave PHP script [2] check the value in the $_SESSION['token'] with the value provided by the form. If the two match, then everything has been done via your server. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com
From: Marc Guay on 6 Aug 2010 10:29 Thanks everyone.
|
Pages: 1 Prev: Quotes vs. Single Quote Next: how do you upload to a 3rd-party remote server? |