jQuery/Ajax stop direct access of files.

[-Karl-]

Hello,

 

So I have a problem and I cannot think of a way around it. Basically, I use jQuery tabs and Ajax to load a file and include it. However, I don't want a user to be able to directly access the file which is included.

 

Example:

<ul>
            <li><a href="file1.php?id=<?php echo $_GET['id']; ?>">Link 1</a></li>
            <li><a href="file2.php">Link 2</a></li>
        </ul>

 

Let's called the main page index.php, so when a user goes to index.php they have tabs, Link 1 and Link 2, when they click Link 1, file.php is included in to a pre-defined div through Ajax.

 

I want the script to still be able to access the file, but I don't want visitors to be able to access it directly.

 

So I came up with this cunning idea:

 

index.php

session_start();
$_SESSION['IS_INCLUDED'] = true;

 

file1.php

session_start(); 
if($_SESSION['IS_INCLUDED'] == true) {
    echo 'Do stuff!';
    unset($_SESSION['IS_INCLUDED']);
} else {
    echo 'You cannot access this file directly.';
} 

 

This works perfecty, but not as required.

 

The problem is there is more than one tab, if they click Link 1, it works fine, if they click Link 2, it works fine because the SESSION isn't yet added, however, if they click back on to Link 1, they get the error.

 

This happens because the SESSION is unset, but without it being unset anyone could access the file directly if they've visited the page once.

 

Does anyone have any idea how I can get around this problem?

[requinix]

You can't really. AJAX and a normal browser visit are more or less indistinguishable from each other. The most you can hope for is to make it harder but before you head down that path you really need to think about whether this is actually a problem you need to fix or not. What if someone sees the page without AJAX? It's not like they're seeing something they otherwise couldn't.

[`Karl]

I see your point, but I don't want it to be something that will/can be abused.

[Christian F.]

Then I'm afraid you're going about this the wrong way. First and foremost create your site so that it can be used perfectly without JavaScript enabled, then add the JS stuff to enhance the user experience. That way you are not throwing any artificial road blocks in front of your users, and you can now rely completely on the server-side of things to keep your process secured.

 

[`Karl]

That's pretty much irrelevant, there's nothing the visitor will be able to do accessing them directly. I'd just prefer them not to be able to. So programming it all without JS would be stupid, especially since I'm using jQuery tabs to ENHANCE the users' experience.

[Jessica]

Christian is 100% correct.

[`Karl]

Christian is 100% correct.

Evidently not, as I just stated, it's completely secure. I just don't want them accessing it directly as a personal preference.

 

Whether I program the tabs with jQuery, or program them stand-alone, they're still going to have access to the file. Thus, he isn't right, unless of course there was a security whole, which there isn't.