Hi Arne-Kolja. The short answer is that if you are running a site that requires users to authenticate, your ajaxable php URLs need to require the same kind of authentication that all your other pages do.
If you are running a public site that does not require authentication there's nothing you can do to fully protect your ajaxable URLs... You can make it more or less of a nuisance but if the URLs are available without authentication then there's no way to securely lock them down. The long answer has to do with how much of a nuisance can you make it for people to access your web service in ways you don't want them to. If this is what you are looking for could you provide more detail about the scenarios you want to prevent? ------------->Nathan > Arne-Kolja Bachstein schreef: > > Hi there, > > do you have any ideas how I could secure my php files > against direct > calls of the functions an ajax script calls? For > example if I let my > AJAX script send a request to foo.php and foo.php > returns a line of code > the AJAX script usually writes onto my site, how can I > avoid that these > calls are submitted from outside/other sites can read > these calls results. > > > Hi Arne-Kolja, > > The best you can do is "Double submit the cookie", to ensure > that the user submits it not only from a browser that's > validated, but also from the same domain (or path even, if > you set the cookie tight enough) > > http://www.ajaxian.com/archives/gmail-csrf-security-flaw > > Siple hidden fields do _NOT_ protect you! It just makes the > attack slightly more convoluted, since the attacker will have > to an extra request to first get the hidden fields. > > Checking the referer helps, but by doing that you'll also > block a lot of legitimate users. > > What you should do is this: > > 1) When the user logs on to your app, set a cookie and a > server session, containing the same hash for that sessions: > > $key = makeMySuperSecretHashKey(); > $_SESSION['csrfcheck'] = $key; > setcookie('sessionhash', $key, time() + > $this->cookie_lifespan, $Paths['cookie_url'] ); > > > 2) Whenever you're sending a form to the user, include a > hidden CSRFcheck field, that will be empty, > > 3) The browser uses a bit of JS to fill the field in the > client, before sending it to the server. > > > <input name='csrfcheck' id='csrfcheck' type='hidden' value='' /> > > <script type='text/javascript'> > $('#csrfcheck').val( $.cookie('sessionhash') ); > </script> > > > 4) When the server receives the form, it checks if the local > version of the session hash is the same as the one that was > sent with the form: > > > > <?php > if ($_POST['csrfcheck'] != $_SESSION[ 'csrfcheck' ]) { > die('no cheating, please'); > } > ?> > > > > > Alternatively, if you're doing AJAXy requests, without forms > that are being served first, you can still use a similar strategy: > > var csrfcheck = $.cookie('sessionhash') > > $.ajax({ > type: "POST", > url: "ajaxhelper.php", > data: "csrfcheck=" + csrfcheck + "&contents=" + contents, > success: function(fetchedhtml) { alert(fetchedhtml); }, > error: function() { alert("Error saving file.") } > }); > > > For this you'll need to use the Klaus' cookie plugin: > http://www.stilbuero.de/2006/09/17/cookie-plugin-for-jquery/ > > Hope this helps! > > Best, Bob. > > > -- > Bob den Otter - [EMAIL PROTECTED] > Two Kings - www.twokings.nl - 070 345 76 28 > > _______________________________________________ jQuery mailing list [email protected] http://jquery.com/discuss/
