How can I secure this?

[Garethp]

Ok, so I have a PHP file, called API.php which contains a series of functions that get a result from a SOAP call using a UserId and Password. The thing is, I intend to call apon API.php using AJAX, so the API.php has to output the information. I was wondering if there was anyway I can make it so that it will only give access to requests sent by that one page?

[jl5501]

If your ajax call is only in the page where you want to allow the calls from, then I suggest you add a parameter to the information passed to API.php, and if that parameter is not present, then API.php will do nothing or return an error message.

 

That way, it will only function when called by ajax, from the correct page

[laffin]

but that can be faked easily, by someone just looking at the javascript code. which they would do to see how your function operates.

As with any source code, once its out in the open, it just takes a dedicated person to find a way around it.

 

 

[jl5501]

OK, point taken, but  the code used could change each time the page is loaded.

 

Obviously the called page would need to know the current value, but that could be handled, with a database value or a text file on the server, or even a session value.

 

It is very difficult to be absolutely secure in what you want to do, but you can make it harder for someone to access in ways that you do not want them to.

[PHP Monkeh]

I personally don't have much experience with AJAX, but could you use $_SERVER['HTTP_REFERER'] on the called page and make sure that it comes from your site?  I can't imagine that it's 100% secure but at least it isn't visible in the source code.

[jl5501]

Unfortunately, $_SERVER['HTTP_REFERER']  is extremely easy to fake. and should never be used as part of a security system

[PHP Monkeh]

Had my morning cup of brew and woken up, and obviously you're right   I always forget that it's passed via the browser

 

I'm sure there must be an elegant solution to this, will an AJAX called page be able to detect a define() on the originating page or is it totally independent?

[jl5501]

The ajax called page is independant of the calling page. It can only know what is passed to it.

 

It can be called with GET or POST parameters, or of course can share a session.

 

The choice of GET or POST with an ajax call is purely down to the amount of data you need to send, as the url on such a call is not seen in the browser, so visibility of GET params is not a problem. Some people would say that POST with ajax is harder to set up, but you just need to know the differences in setting up the POST data, from just adding the params to the url you are calling.

[laffin]

OK, point taken, but  the code used could change each time the page is loaded.

 

Obviously the called page would need to know the current value, but that could be handled, with a database value or a text file on the server, or even a session value.

 

It is very difficult to be absolutely secure in what you want to do, but you can make it harder for someone to access in ways that you do not want them to.

 

Ah, A single use token. Yeah this could be done,

OP: Single use tokens are a key string usually generated by a hash function, like md5. this key is than imbedded in your javascript, and also added to a database.

When the javascript retrieves a page, it also sends this key. the key is verified against the db and removed if found.

and you can regenerate a new token, and send it back with your api function

 

I think that is pretty secure method, when not using username/password.

very well done jl