AJAX Call Authentication
Moderator: General Moderators
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
AJAX Call Authentication
Hello, world!
I'm doing some AJAX stuff, and I'm calling a PHP page for some settings variables. The issue is, I want this call to be authenticated to some extent. The call goes like "get_variable.php?var=somevar". I don't want just anybody to call that page and get the result. How do I make reasonably sure that it is coming from my page? Should I pass a password via POST in the AJAX?
Thanks!
I'm doing some AJAX stuff, and I'm calling a PHP page for some settings variables. The issue is, I want this call to be authenticated to some extent. The call goes like "get_variable.php?var=somevar". I don't want just anybody to call that page and get the result. How do I make reasonably sure that it is coming from my page? Should I pass a password via POST in the AJAX?
Thanks!
Last edited by Jonah Bron on Sun Feb 28, 2010 3:25 pm, edited 2 times in total.
Re: AJAX Call Authentication
I guess you could pass session id and if session exists, then give result, otherwise don't. You can't really trust anything else, at least nothing I can think of.
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: AJAX Call Authentication
It doesn't matter if it's sent by POST, GET or COOKIE (usual way).
Just check if session exists and if it does then most likely this ajax call was made from your website.
Just check if session exists and if it does then most likely this ajax call was made from your website.
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: AJAX Call Authentication
I think it's not good. Use session variables instead.
There are 10 types of people in this world, those who understand binary and those who don't
Re: AJAX Call Authentication
I think you want to protect your site against http://en.wikipedia.org/wiki/Cross-site_request_forgery?How do I make reasonably sure that it is coming from my page?
Google for some solutions - plenty of them.
There are 10 types of people in this world, those who understand binary and those who don't
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: AJAX Call Authentication
Oops! I got my terms mixed up. I meant "session hijacking", where someone manually puts a cookie on their computer with the session id of someone else.