On Fri, 2010-08-06 at 09:41 -0400, Marc Guay wrote:

> Hi folks,
> I'm looking for a straightforward way to protect PHP files which are
> called via AJAX from being called from outside my application.
> Currently, someone could forseeably open the console and watch the
> javascript post variables to a public file (actions/delete_thing.php)
> and then use this knowledge to trash the place.  I found this thread
> at stackoverflow which seems to cover the issue I'm looking at, but
> it's pretty intense and I figure there's an easier way but I'm not
> sure how.
> http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website
> It seems unlikely that this is the method everyone uses, but maybe
> not.  Advice is nice.
> Marc

I think the only sensible way to solve this is to pass a unique
authentication key with each request. Usually this is done with the
session id, which is checked on the server-side each time an action is
triggered. Sure, someone could look at the session id and copy it to a
script, but sessions usually expire after a certain amount of time if
they don't remain active. Even if someone did start up a script with a
valid session id and make repeated requests to your system, they should
only have the session id if they are a valid user of your system anyway,
so whether they do it via a browser or not shouldn't make much of a

If you're worried about someone logging in and using an automated
process to abuse your system, you could add a logging method to your PHP
code that tracks every action a user makes. This way, you can then have
checks in your code to look for suspicious activity and destroy a
session. Suspicious activity could be anything from lots of invalid
requests to a continuous stream of requests and requests made at too
regular an interval.


Reply via email to