Securing AJAX with A Bespoke Key

imperium2335 · November 29, 2011

Hi,

I want to secure my AJAX routines which use the POST method. I want to prevent people from posting to my method with their own program/script.

I have read about making a random seed that the server knows to expect from authorized AJAX sources.

What is the basic code for doing this?

freelance84 · November 29, 2011

If the user is logged in, you can simply check for $_SESSION data

Else you can check the check the $_SERVER variables eg HTTP_REFERER

KevinM1 · November 29, 2011

Else you can check the check the $_SERVER variables eg HTTP_REFERER

Not reliable, as not all user agents set it.

freelance84 · November 29, 2011

oo.. i didn't know that. Thanks KevinM1

xyph · November 29, 2011

Your best bet is to use some sort of private key.

This kind of screws things up for AJAX though, as those requests are actually made on the client side. Any sort of private key would be revealed.

freelance84 · November 29, 2011

As $_SESSION data cannot be forged (apparently), you could start a session with a private key for every user (said key need not be unique per user) and only accept AJAX requests with said key... no need to log the user in?

Sign In

Securing AJAX with A Bespoke Key

Recommended Posts

imperium2335

Link to comment

Share on other sites

freelance84

Link to comment

Share on other sites

KevinM1

Link to comment

Share on other sites

freelance84

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

freelance84

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information