Hi there,
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my site, how can I avoid that these
calls are submitted from outside/other sites can read these calls results.
Hi Arne-Kolja,
The best you can do is "Double submit the cookie", to ensure that the
user submits it not only from a browser that's validated, but also from
the same domain (or path even, if you set the cookie tight enough)
http://www.ajaxian.com/archives/gmail-csrf-security-flaw
Siple hidden fields do _NOT_ protect you! It just makes the attack
slightly more convoluted, since the attacker will have to an extra
request to first get the hidden fields.
Checking the referer helps, but by doing that you'll also block a lot of
legitimate users.
What you should do is this:
1) When the user logs on to your app, set a cookie and a server session,
containing the same hash for that sessions:
$key = makeMySuperSecretHashKey();
$_SESSION['csrfcheck'] = $key;
setcookie('sessionhash', $key, time() + $this->cookie_lifespan,
$Paths['cookie_url'] );
2) Whenever you're sending a form to the user, include a hidden
CSRFcheck field, that will be empty,
3) The browser uses a bit of JS to fill the field in the client, before
sending it to the server.
<input name='csrfcheck' id='csrfcheck' type='hidden' value='' />
<script type='text/javascript'>
$('#csrfcheck').val( $.cookie('sessionhash') );
</script>
4) When the server receives the form, it checks if the local version of
the session hash is the same as the one that was sent with the form:
<?php
if ($_POST['csrfcheck'] != $_SESSION[ 'csrfcheck' ]) {
die('no cheating, please');
}
?>
Alternatively, if you're doing AJAXy requests, without forms that are
being served first, you can still use a similar strategy:
var csrfcheck = $.cookie('sessionhash')
$.ajax({
type: "POST",
url: "ajaxhelper.php",
data: "csrfcheck=" + csrfcheck + "&contents=" + contents,
success: function(fetchedhtml) { alert(fetchedhtml); },
error: function() { alert("Error saving file.") }
});
For this you'll need to use the Klaus' cookie plugin:
http://www.stilbuero.de/2006/09/17/cookie-plugin-for-jquery/
Hope this helps!
Best, Bob.
--
Bob den Otter - [EMAIL PROTECTED]
Two Kings - www.twokings.nl - 070 345 76 28
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
