AJAX Call Authentication

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

AJAX Call Authentication

Post by Jonah Bron »

Hello, world!

I'm doing some AJAX stuff, and I'm calling a PHP page for some settings variables. The issue is, I want this call to be authenticated to some extent. The call goes like "get_variable.php?var=somevar". I don't want just anybody to call that page and get the result. How do I make reasonably sure that it is coming from my page? Should I pass a password via POST in the AJAX?

Thanks!
Last edited by Jonah Bron on Sun Feb 28, 2010 3:25 pm, edited 2 times in total.
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Re: AJAX Call Authentication

Post by kaszu »

I guess you could pass session id and if session exists, then give result, otherwise don't. You can't really trust anything else, at least nothing I can think of.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Post by Jonah Bron »

Okay. Do you mean that I would send the session ID in POST? How would I get that ID in javascript? Does it need to access the session cookie?

Thanks.
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Re: AJAX Call Authentication

Post by kaszu »

It doesn't matter if it's sent by POST, GET or COOKIE (usual way).
Just check if session exists and if it does then most likely this ajax call was made from your website.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Post by Jonah Bron »

Oh, I see: use PHP to check. So an AJAX call passes the same stuff a normal page request would? I didn't know that, but it does make sense. I'll do that.

Much appreciated!
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Post by Jonah Bron »

Oh, I just came up with (what I think is) a really clever idea. When the user logs on, put his IP address into a session. Then, just compare the IP of the machine calling to the IP in the session. Would that be good? Is the IP address safe, or can it be hacked?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: AJAX Call Authentication

Post by VladSun »

I think it's not good. Use session variables instead.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: AJAX Call Authentication

Post by VladSun »

How do I make reasonably sure that it is coming from my page?
I think you want to protect your site against http://en.wikipedia.org/wiki/Cross-site_request_forgery?

Google for some solutions - plenty of them.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Post by Jonah Bron »

VladSun wrote:I think it's not good. Use session variables instead.
No, my idea was to prevent session spoofing. It does use sessions, but the IP comparison is just an extra measure of security.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re:

Post by VladSun »

What is "session spoofing"?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: AJAX Call Authentication

Post by Jonah Bron »

Oops! I got my terms mixed up. I meant "session hijacking", where someone manually puts a cookie on their computer with the session id of someone else.
Post Reply