Page 1 of 1

Securing pages accessed by XHR

Posted: Mon Jul 07, 2008 1:50 pm
by VirtuosiMedia
I'm looking for suggestions on securing pages loaded by an XHR request. I'm making an admin section for a script that loads pages into modal window via XHR. I'd like to make those pages inaccessible by direct access. I've seen other scripts define a constant in the loading page and then check for it with each loaded file; if the constant is missing, the script is killed. However, PHP constants don't seem to work with XHR, although session data does. I can accomplish the same thing with sessions, but I wonder if there might be a better way. Any suggestions on either preventing direct access or making the whole process more secure?

Re: Securing pages accessed by XHR

Posted: Mon Jul 07, 2008 3:46 pm
by Mordred
You can't stop direct access to the ajax backend, or the browser will not see it, and the whole thing will not work.
Instead, treat it like a regular web script and use the usual methods for securing web scripts. Post code if you have doubts.

Re: Securing pages accessed by XHR

Posted: Mon Jul 07, 2008 4:21 pm
by VirtuosiMedia
Mordred wrote:You can't stop direct access to the ajax backend, or the browser will not see it, and the whole thing will not work.
Instead, treat it like a regular web script and use the usual methods for securing web scripts. Post code if you have doubts.
The following php code won't allow direct access, at least as far as I can tell.

My index.php file, which loads all other pages via XHR.

Code: Select all

 
<?php
session_start();
$_SESSION['user_token'] = 10ASd9823r3SDF;
 
//Javascript and the rest of the code would go here
?>
 
My test.php file, which is loaded by index.php

Code: Select all

 
<?php
session_start();
 
if ($_SESSION['user_token'] != '10ASd9823r3SDF'){
    die('Access Denied');
} else {
    echo 'Access Granted';
}
 
//The rest of the file goes here
 
?>
 
The token wouldn't be hardcoded in production, but I just wrote it like that for example purposes. I'd probably have it be a temporary token, created on login. Each file would then check the token against the user id and access permissions.

The session data passes when test.php is loaded into a modal window, but I'm not able to access test.php directly if I haven't first established my session. Is there some way that it can be accessed that I don't know about, because this seems to work? Is it otherwise insecure?

Re: Securing pages accessed by XHR

Posted: Tue Jul 08, 2008 6:35 am
by Mordred
This does not stop direct access, it stops accessing the backend script (test.php) without first accessing the main script (index.php).
I still don't see the point of that - what are you protecting against? An attacker can easily replicate the browser accessing index.php and then test.php

Re: Securing pages accessed by XHR

Posted: Tue Jul 08, 2008 1:30 pm
by VirtuosiMedia
Mordred wrote:This does not stop direct access, it stops accessing the backend script (test.php) without first accessing the main script (index.php).
I still don't see the point of that - what are you protecting against? An attacker can easily replicate the browser accessing index.php and then test.php
I think that perhaps I didn't explain well enough. The index.php file is an administration section and should only be able to be accessed by logging in. And test.php is supposed to be only accessible from index.php through a modal window, but not by typing in its actual url. It would be something similar to this, but password-protected.

Re: Securing pages accessed by XHR

Posted: Tue Jul 08, 2008 5:03 pm
by Mordred
Mordred already wrote:use the usual methods for securing web scripts
Use whatever mechanism you use to stop non-authorized users to access index.php to also stop non-authorized users to access test.php