PHP and Ajax (security issue question)

Question

raevin 0 Newbie Poster

13 Years Ago

I've been searching Google and here, and haven't found anything that'd work for me. I'm trying to restrict access to my scripts so that they will only be accessible via the main page. On the initial page load, everything loads fine. But, if I click on a link, the define() variable I have in my main page is no longer defined to other things, so it causes a failure. Perhaps code will be more helpful.

index.php:

<?php
session_start();
define('CRC32', microtime());
@require_once('funcs.php');
?>
[...]
<div id="header">
	<div style="width: 20%; float: left;"><img src="img/logo.gif" alt="S4U Logo" /></div>
	<div id="login_form" style="width: 80%; float: right; text-align: center;"><?php require('forgotpw.php'); ?></div>
[...]

funcs.php:

<?php

function CheckAllowed(){
        if(!constant('CRC32')){
                echo("<script>alert('fail');</script>");
                //header("HTTP/1.1 404 Not Found");
        }
}
?>

forgotpw.php:

<?php
@require_once("funcs.php");

CheckAllowed();

if(!isset($_SESSION['key'])){
        echo("HI2!");
} else{
        echo("HI!");
        //echo("<script>alert('You are currently logged in.');</script>");
}
?>

I just edited this to show you, but "Forgot Password?" (forgotpw.php) is actually a link.

Basically CheckAllowed() works fine when you first go to the website, but when you click on the "Forgot Password?" link, it calls forgotpw.php and CheckAllowed() fails because CRC32 is no longer defined (I've tested this with the if() statements, forgotpw.php will load right now, but will show the "fail" dialog box as CRC32 isn't defined anymore). I've also tried not doing it via a function and putting the code right in there, but I still have the same issue.

Does anyone have any idea on how to get this to work with Ajax? I've heard of using $_SERVER as a workaround, but I haven't found anything that illustrates what to do w/ the server variables.

php

Edited 13 Years Ago by raevin because: n/a

4 Contributors
14 Replies
187 Views
23 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by raevin

R0bb0b 344 Posting Shark

13 Years Ago

I would do something like this:

<?php
//header script, include in all scripts accept your ajax php script
session_start();
$_SESSION['pageAuth'] = microtime();
if(__FILE__ == "/var/www/websitename/index.php")
{
    $fp = fopen('/var/webSec/websitename.txt', 'w'); //needs to be writable by apache, make apache the owner or writable and readable by all
    fwrite($fp, $_SESSION['pageAuth']);
    fclose($fp);    
}
?>

<?php
//ajax php script
session_start();
if(!isset($_SESSION['pageAuth']) || file_get_contents("/var/webSec/websitename.txt") != $_SESSION['pageAuth'])
{
    exit("Go Pound Sand :P");
}

//continue ajax script here
?>

Edited 13 Years Ago by R0bb0b because: n/a

R0bb0b 344 Posting Shark

13 Years Ago

Thank you, but the problem with that is once you go to index.php it'll give you a session token and then you can go to the page directly just fine (which defeats what I'm wanting to do). The safest thing I've seen so far with Ajax calls is the following:
if(empty($_SERVER['HTTP_X_REQUESTED_WITH'])){
                header("Status: 404 Not Found", true, 404);
        }

What is that? I don't see that in the manual.

diafol

13 Years Ago

It's not perfect but what about using $_SERVER?

R0bb0b 344 Posting Shark

13 Years Ago

right, it depends on the header, which can be manipulated. Given that, I wouldn't be surprised if HTTP_X_REQUESTED_WITH also comes from the header.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

raevin 0 Newbie Poster · Answer 1 · 2010-12-02T02:01:49+00:00

Thank you, but the problem with that is once you go to index.php it'll give you a session token and then you can go to the page directly just fine (which defeats what I'm wanting to do). The safest thing I've seen so far with Ajax calls is the following:

if(empty($_SERVER['HTTP_X_REQUESTED_WITH'])){
                header("Status: 404 Not Found", true, 404);
        }

raevin 0 Newbie Poster · Answer 2 · 2010-12-02T02:52:42+00:00

What is that? I don't see that in the manual.

$_SERVER isn't an official SERVER response in PHP, but prototype.js and jQuery send this additional header when it makes a request call (GET/POST) via Ajax.

raevin 0 Newbie Poster · Answer 3 · 2010-12-02T02:56:54+00:00

It's not perfect but what about using $_SERVER?

I thought about that, but I never really liked that as a viable solution (for anything, really).

somedude3488 228 Nearly a Posting Virtuoso · Answer 4 · 2010-12-02T03:04:56+00:00

If you are just trying to restrict access to the those pages, just move them outside of public domain and use the main page that you are talking about to include them.

Seems simple enough to me, but I may be missing the point.

raevin 0 Newbie Poster · Answer 5 · 2010-12-02T03:06:03+00:00

right, it depends on the header, which can be manipulated. Given that, I wouldn't be surprised if HTTP_X_REQUESTED_WITH also comes from the header.

It is, I just checked w/ both Tamper Data and LiveHTTPHeaders in Firefox, and it shows this;
X-Requested-With: XMLHttpRequest

It's still not a safe-sound solution, but it's the best to do...only better would to be sure it has that text exactly.

R0bb0b 344 Posting Shark · Answer 6 · 2010-12-02T03:06:20+00:00

http://www.gnu.org/software/wget/manual/html_node/HTTP-Options.html

I could probably fire the script with wget from my mac

raevin 0 Newbie Poster · Answer 7 · 2010-12-02T03:07:07+00:00

If you are just trying to restrict access to the those pages, just move them outside of public domain and use the main page that you are talking about to include them.
Seems simple enough to me, but I may be missing the point.

That's not possible via using Ajax calls because JavaScript can't access the filesystem itself, as far as I know anyways.

somedude3488 228 Nearly a Posting Virtuoso · Answer 8 · 2010-12-02T03:26:51+00:00

I guess I am confused as to what the op is trying to do.

Are you trying to load pages with ajax?

From the code you have I don't see anything that really has to do with ajax.

R0bb0b 344 Posting Shark · Answer 9 · 2010-12-02T03:26:54+00:00

That's not possible via using Ajax calls because JavaScript can't access the filesystem itself, as far as I know anyways.

That's fine but any version of including the script is still stuck within the realm of the http protocol.

Any authentication is going to have to be server side if you are really worried about security. You cannot rely on anything coming from the header. And you cannot just have the script authenticate itself because again, that can be manipulated.

raevin 0 Newbie Poster · Answer 10 · 2010-12-02T03:58:44+00:00

@kkeith: The Ajax calls are in a seperate file that holds no bearing to this question/issue.

@R0bb0b: That's right. But, since define/d() doesn't work with Ajax, I have nothing to work with besides the headers...:/