Jquery Refreshing - prevent direct access?

[joecooper]

Hi,

 

I am very new to JQuery, but supprised how easy it really is.

 

I have a simple refresh script. Every second, data.php is called and populates a div tag.

 

How do i stop people accessing data.php directly? So only in the JS.

 

Thanks

 

 

[kicken]

You can't really. You could do things like check for the HTTP_X_REQUESTED_WITH header which jQuery sets for ajax requests and if it's not present, kill the script. All someone would have to do though is add that header to fool your script and access it directly. For someone who would even want to try and access that script directly, adding that header would be trivial.

[joecooper]

I guess its not a big deal if they wanted to have a look.

[.josh]

alternatively you can output a token in a hidden field somewhere (or generate one with js as part of the ajax request payload) and check for that, but again, it's a trivial matter to circumvent. Or, you could try some "security through obscurity" by breaking it down into a chain of multiple requests. All of these (and kicken's) suggestions would help against random bots that try to request (like crawlers) and may also help weed out the more novice people, but wouldn't really help against people determined to get around it. As kicken said, bottom line is there's no way to absolutely prevent it.