0

I am currently developing jquery code that sends data to the server via ajax that is then inserted into the database based on the request parameters.

However, I am rather concerned that this could be abused by CSRF attacks which would make things rather insecure. I have tried to research this and only find answers for specific frameworks such as django and rails where I am only after a generic implementation for use with PHP.

I have read that you can use the JQuery.ajaxsend() function to implement the code so that a token is sent with EVERY AJAX request however I have no idea how this can be implemented as JavaScript obviously has no access to the PHP session variables. Would the use of cookies be secure enough?

Basically I need to be able to check the origin of the request to ensure that the request is genuine and not a forged request used to take advantage of the system.

If anyone can point me in the right direction that would be most appreciated!

Improve this question

2 Answers 2

Reset to default
1

Well, do know that $.ajax seems to send the cookies, including the PHP session cookie, with its request. Using that feature changes your attack from CSRF to session hijacking, but it's a start. Next, run your service over SSL if you can to avoid the session hijacking.

I'm sure there are other ways to do this as well, but for vanilla PHP, this seems to work. Someone correct me if I'm wrong, please.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

This assumes that AJAX requests are authenticated by something in the session.
Well the user will need to be logged in, in order for them to have access. So there will be checks with the PHP session for authentication.
Also there doesn't seem to be any session cookie info being sent with $.ajax.
@MichaelMior Yes, I took the mention of "JavaScript obviously has no access to the PHP session variables" to mean that there is a PHP session that would be useful in validating the request.
@DanielWest Hrm... I wrote something just last night that relied on that being the case, and it worked in Chrome at least with the method being POST. Which browser?
|
1

Here's how it's done in Django, but there's nothing that's framework specific (besides setting the CSRF token in the cookie as 'csrftoken'): https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax

Improve this answer

2 Comments

So i'm guessing the token can be generated and added into the cookie on login by using PHP? As there is no function for generating the token in their example code.
Django uses middleware to add the CSRF token to the cookie on every page view (if it's not already there). Said middleware also checks every form post to validate that the CSRF token is there & correct (either in the POST params or in the X-CSRFToken header).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.