Garethp Posted January 23, 2010 Share Posted January 23, 2010 Ok, so I have a PHP file, called API.php which contains a series of functions that get a result from a SOAP call using a UserId and Password. The thing is, I intend to call apon API.php using AJAX, so the API.php has to output the information. I was wondering if there was anyway I can make it so that it will only give access to requests sent by that one page? Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/ Share on other sites More sharing options...
jl5501 Posted January 23, 2010 Share Posted January 23, 2010 If your ajax call is only in the page where you want to allow the calls from, then I suggest you add a parameter to the information passed to API.php, and if that parameter is not present, then API.php will do nothing or return an error message. That way, it will only function when called by ajax, from the correct page Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000356 Share on other sites More sharing options...
laffin Posted January 24, 2010 Share Posted January 24, 2010 but that can be faked easily, by someone just looking at the javascript code. which they would do to see how your function operates. As with any source code, once its out in the open, it just takes a dedicated person to find a way around it. Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000703 Share on other sites More sharing options...
jl5501 Posted January 24, 2010 Share Posted January 24, 2010 OK, point taken, but the code used could change each time the page is loaded. Obviously the called page would need to know the current value, but that could be handled, with a database value or a text file on the server, or even a session value. It is very difficult to be absolutely secure in what you want to do, but you can make it harder for someone to access in ways that you do not want them to. Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000722 Share on other sites More sharing options...
PHP Monkeh Posted January 24, 2010 Share Posted January 24, 2010 I personally don't have much experience with AJAX, but could you use $_SERVER['HTTP_REFERER'] on the called page and make sure that it comes from your site? I can't imagine that it's 100% secure but at least it isn't visible in the source code. Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000728 Share on other sites More sharing options...
jl5501 Posted January 24, 2010 Share Posted January 24, 2010 Unfortunately, $_SERVER['HTTP_REFERER'] is extremely easy to fake. and should never be used as part of a security system Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000731 Share on other sites More sharing options...
PHP Monkeh Posted January 24, 2010 Share Posted January 24, 2010 Had my morning cup of brew and woken up, and obviously you're right I always forget that it's passed via the browser I'm sure there must be an elegant solution to this, will an AJAX called page be able to detect a define() on the originating page or is it totally independent? Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000734 Share on other sites More sharing options...
jl5501 Posted January 24, 2010 Share Posted January 24, 2010 The ajax called page is independant of the calling page. It can only know what is passed to it. It can be called with GET or POST parameters, or of course can share a session. The choice of GET or POST with an ajax call is purely down to the amount of data you need to send, as the url on such a call is not seen in the browser, so visibility of GET params is not a problem. Some people would say that POST with ajax is harder to set up, but you just need to know the differences in setting up the POST data, from just adding the params to the url you are calling. Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000736 Share on other sites More sharing options...
laffin Posted January 24, 2010 Share Posted January 24, 2010 OK, point taken, but the code used could change each time the page is loaded. Obviously the called page would need to know the current value, but that could be handled, with a database value or a text file on the server, or even a session value. It is very difficult to be absolutely secure in what you want to do, but you can make it harder for someone to access in ways that you do not want them to. Ah, A single use token. Yeah this could be done, OP: Single use tokens are a key string usually generated by a hash function, like md5. this key is than imbedded in your javascript, and also added to a database. When the javascript retrieves a page, it also sends this key. the key is verified against the db and removed if found. and you can regenerate a new token, and send it back with your api function I think that is pretty secure method, when not using username/password. very well done jl Quote Link to comment https://forums.phpfreaks.com/topic/189514-how-can-i-secure-this/#findComment-1000807 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.