Stop a script running unless it was called by my ajax request.

[ToonMariner]

OK I have posted this in the ajax forum but its pretty quite so I'd liek to see if anyone in here has any ideas.

I have a php script called via an ajax request.  I want the script to ensure it has been called by this request and NOWHERE else; i.e. nobody could type the url in or even script a bot that would send a request to this script automatically.

I really need to restrict script running JUST from the ajax request on my site.

ANY ideas will be much appreciated.

[trq]

Have you tried checking the $_SERVER['HTTP_REFERER'] variable?

[corbin]

you could set a session variable on the correct referer page (since its on the same server) then check for it on the form processing to make sure they came through the page that would set the session...

[ToonMariner]

$_SERVER['HTTP_REFERER'] may not nessesscarily be sent by the client or can be set (depending on client).

The session thing could work but i'd have to unset it each time just in case they tried to leave a window open and use that as a gateway.

Gonna have to make sure I get the old logic right on this - it is critical

[corbin]

Hmm yeah didnt think about that...  Idea... make the session value random things then store the session value in a DB by sessid that way if they go to another page and come back itll reset it and their old one would be incorrect making them unable to go to another page with still the right session thing set...