Securing pages accessed by XHR

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Securing pages accessed by XHR

Post by VirtuosiMedia »

I'm looking for suggestions on securing pages loaded by an XHR request. I'm making an admin section for a script that loads pages into modal window via XHR. I'd like to make those pages inaccessible by direct access. I've seen other scripts define a constant in the loading page and then check for it with each loaded file; if the constant is missing, the script is killed. However, PHP constants don't seem to work with XHR, although session data does. I can accomplish the same thing with sessions, but I wonder if there might be a better way. Any suggestions on either preventing direct access or making the whole process more secure?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing pages accessed by XHR

Post by Mordred »

You can't stop direct access to the ajax backend, or the browser will not see it, and the whole thing will not work.
Instead, treat it like a regular web script and use the usual methods for securing web scripts. Post code if you have doubts.
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Securing pages accessed by XHR

Post by VirtuosiMedia »

Mordred wrote:You can't stop direct access to the ajax backend, or the browser will not see it, and the whole thing will not work.
Instead, treat it like a regular web script and use the usual methods for securing web scripts. Post code if you have doubts.
The following php code won't allow direct access, at least as far as I can tell.

My index.php file, which loads all other pages via XHR.

Code: Select all

 
<?php
session_start();
$_SESSION['user_token'] = 10ASd9823r3SDF;
 
//Javascript and the rest of the code would go here
?>
 
My test.php file, which is loaded by index.php

Code: Select all

 
<?php
session_start();
 
if ($_SESSION['user_token'] != '10ASd9823r3SDF'){
    die('Access Denied');
} else {
    echo 'Access Granted';
}
 
//The rest of the file goes here
 
?>
 
The token wouldn't be hardcoded in production, but I just wrote it like that for example purposes. I'd probably have it be a temporary token, created on login. Each file would then check the token against the user id and access permissions.

The session data passes when test.php is loaded into a modal window, but I'm not able to access test.php directly if I haven't first established my session. Is there some way that it can be accessed that I don't know about, because this seems to work? Is it otherwise insecure?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing pages accessed by XHR

Post by Mordred »

This does not stop direct access, it stops accessing the backend script (test.php) without first accessing the main script (index.php).
I still don't see the point of that - what are you protecting against? An attacker can easily replicate the browser accessing index.php and then test.php
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Securing pages accessed by XHR

Post by VirtuosiMedia »

Mordred wrote:This does not stop direct access, it stops accessing the backend script (test.php) without first accessing the main script (index.php).
I still don't see the point of that - what are you protecting against? An attacker can easily replicate the browser accessing index.php and then test.php
I think that perhaps I didn't explain well enough. The index.php file is an administration section and should only be able to be accessed by logging in. And test.php is supposed to be only accessible from index.php through a modal window, but not by typing in its actual url. It would be something similar to this, but password-protected.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing pages accessed by XHR

Post by Mordred »

Mordred already wrote:use the usual methods for securing web scripts
Use whatever mechanism you use to stop non-authorized users to access index.php to also stop non-authorized users to access test.php
Post Reply