1

In my CMS, I have a page which loads lots of mini-interfaces into a panel using AJAX. Those interfaces come from various PHP files in a /ajax directory.

Would it be possible somehow to only allow access to those files using ajax, and not just by browsing to them?

My concern is, of course, that someone finds out about the /ajax directory, and gets access to the core functionality of the CMS without even having to login. Of course I could import my user class and authenticate each of the AJAX files individually, but would it be possible to only allow access through AJAX?

Improve this question
3
  • 3
    No, you must put your authentication code into every request which processes server-side code. Commented Dec 7, 2011 at 19:27
  • 2
    This is a terrible security model. Commented Dec 7, 2011 at 19:28
  • @NullUserException I didn't say this was my security model in any production code - I was just curious... Commented Dec 7, 2011 at 19:31

7 Answers 7

Reset to default
5

Would it be possible somehow to only allow access to those files using ajax, and not just by browsing to them?

No.

You could add extra HTTP headers, or modify existing ones (such as Accept) when you make the request from JavaScript … but since you are trying to do this for security reasons, that would be insufficient.

Of course I could import my user class and authenticate each of the AJAX files individually

Do that. Ajax requests are not special. They are just HTTP requests. End points created for Ajax should be secured with authentication/authorization just like any other HTTP request end point.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thanks - will the PHP $_SESSION variable be exactly the same when accessed through AJAX?
What about WebSockets?
@alessadro - What about them? This question has nothing to do with websockets.
5

No. A hacker could just fake Ajax requests, anyway. You need to authenticate everywhere or you'll get screwed.

Improve this answer

Comments

2

From outside a browser, it's possible for anybody to initiate HTTP requests to any public URL on your site. There's nothing special about AJAX requests other than headers, and those can be spoofed easily.

Now what can't be easily spoofed is a secure session mechanism. If you're requiring people to log in, then you should be doing that anyway.

Improve this answer

Comments

1

Simple answer, "no".

Your ajax files should also validate the user is logged in the same way as the front end of your system does.

Improve this answer

Comments

1

AJAX is almost same request as Standart request you can check header but this is not secure way. So short you can't do this. Authetificate on server side what you have proposed.

Improve this answer

Comments

0

Authenticate your AJAX files. If there are lots of them, create a class and extend it in each individual AJAX file.

/ajax/abstract.php:

<?php
abstract class AjaxHandler {

    public function __construct() {
        // import authentication handler
        if ($authenticated) {
            $this->display();
        }
        else {
            header('HTTP/1.1 401 Unauthorized');
            exit;
        }
    }
}

Then in each file, i.e. /ajax/get_user_profile.php:

<?php
class GetUserProfile extends AjaxHandler {

    public function display() {
        // do your routine
    }
}
Improve this answer

1 Comment

how one use this ,im interested to know how this works ?
-1

Well, an alternative option you could have is to use post method to get the content from the php, and in your php you should set a key for the post method. And then system wide remove cross origin access. :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.