On Fri, 2010-08-06 at 09:41 -0400, Marc Guay wrote: > Hi folks, > > I'm looking for a straightforward way to protect PHP files which are > called via AJAX from being called from outside my application. > Currently, someone could forseeably open the console and watch the > javascript post variables to a public file (actions/delete_thing.php) > and then use this knowledge to trash the place. I found this thread > at stackoverflow which seems to cover the issue I'm looking at, but > it's pretty intense and I figure there's an easier way but I'm not > sure how. > > http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website > > It seems unlikely that this is the method everyone uses, but maybe > not. Advice is nice. > Marc > I think the only sensible way to solve this is to pass a unique authentication key with each request. Usually this is done with the session id, which is checked on the server-side each time an action is triggered. Sure, someone could look at the session id and copy it to a script, but sessions usually expire after a certain amount of time if they don't remain active. Even if someone did start up a script with a valid session id and make repeated requests to your system, they should only have the session id if they are a valid user of your system anyway, so whether they do it via a browser or not shouldn't make much of a difference. If you're worried about someone logging in and using an automated process to abuse your system, you could add a logging method to your PHP code that tracks every action a user makes. This way, you can then have checks in your code to look for suspicious activity and destroy a session. Suspicious activity could be anything from lots of invalid requests to a continuous stream of requests and requests made at too regular an interval. Thanks, Ash http://www.ashleysheridan.co.uk
