Protecting my XML pages

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Cole22
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 5:58 am

Protecting my XML pages

Post by Cole22 »

I've written an AJAX application with pages that generate the required XML based on the $_GET variables passed to it and Javascript code which makes the required requests.

My problem is that right now, anyone calling the required URL eg. http://mysite.com/getxml.php?id=1 can get at my XML feeds. How do I protect them so that only my site has access to it?

Thanks for the help
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

Are you saying so that only your javascript (AJAX program) has access to it?

I don't see how that would be possible...
User avatar
Sema
Forum Commoner
Posts: 34
Joined: Fri Sep 03, 2004 12:43 pm
Location: Aalborg, Denmark

Post by Sema »

What data is in these xml files when you don't want the user to see them?

In my opinion, if you need clientside! JavaScript to access data, it can't be considered secure data, and therefore it should not be a problem if the user would see this xml file. Is it to stop a user from using the xml file in rss readers or on their own sites? Or are there some kind of "secret" data in the xml file you don't want the user to see?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

You can check for a session before creating the xml files :)
Cole22
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 5:58 am

Post by Cole22 »

Or are there some kind of "secret" data in the xml file you don't want the user to see?
No, there's nothing secret.
Is it to stop a user from using the xml file in rss readers or on their own sites?


Yes, exactly that.
Cole22
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 5:58 am

Post by Cole22 »

I was hoping to get a simple solution like just checking the referrer header but that is easily spoofed, so sessions it is then. Thanks hawleyjr
Post Reply