Page 1 of 1
AJAX Call Authentication
Posted: Sat Feb 27, 2010 11:53 pm
by Jonah Bron
Hello, world!
I'm doing some AJAX stuff, and I'm calling a PHP page for some settings variables. The issue is, I want this call to be authenticated to some extent. The call goes like "get_variable.php?var=somevar". I don't want just anybody to call that page and get the result. How do I make reasonably sure that it is coming from my page? Should I pass a password via POST in the AJAX?
Thanks!
Re: AJAX Call Authentication
Posted: Sun Feb 28, 2010 12:47 pm
by kaszu
I guess you could pass session id and if session exists, then give result, otherwise don't. You can't really trust anything else, at least nothing I can think of.
Posted: Sun Feb 28, 2010 12:56 pm
by Jonah Bron
Okay. Do you mean that I would send the session ID in POST? How would I get that ID in javascript? Does it need to access the session cookie?
Thanks.
Re: AJAX Call Authentication
Posted: Sun Feb 28, 2010 1:09 pm
by kaszu
It doesn't matter if it's sent by POST, GET or COOKIE (usual way).
Just check if session exists and if it does then most likely this ajax call was made from your website.
Posted: Sun Feb 28, 2010 1:15 pm
by Jonah Bron
Oh, I see: use PHP to check. So an AJAX call passes the same stuff a normal page request would? I didn't know that, but it does make sense. I'll do that.
Much appreciated!
Posted: Sun Feb 28, 2010 2:04 pm
by Jonah Bron
Oh, I just came up with (what I think is) a really clever idea. When the user logs on, put his IP address into a session. Then, just compare the IP of the machine calling to the IP in the session. Would that be good? Is the IP address safe, or can it be hacked?
Re: AJAX Call Authentication
Posted: Mon Mar 01, 2010 6:30 am
by VladSun
I think it's not good. Use session variables instead.
Re: AJAX Call Authentication
Posted: Mon Mar 01, 2010 6:32 am
by VladSun
How do I make reasonably sure that it is coming from my page?
I think you want to protect your site against
http://en.wikipedia.org/wiki/Cross-site_request_forgery?
Google for some solutions - plenty of them.
Posted: Tue Mar 02, 2010 11:35 am
by Jonah Bron
VladSun wrote:I think it's not good. Use session variables instead.
No, my idea was to prevent session spoofing. It does use sessions, but the IP comparison is just an extra measure of security.
Re:
Posted: Thu Mar 04, 2010 3:56 am
by VladSun
What is "session spoofing"?
Re: AJAX Call Authentication
Posted: Mon Mar 15, 2010 5:39 pm
by Jonah Bron
Oops! I got my terms mixed up. I meant "session hijacking", where someone manually puts a cookie on their computer with the session id of someone else.