views:

5372

answers:

8

What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER'], because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.

Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.

A: 

If you can't trust the REFERER variable (and (generally) why wouldn't you), it depends on whether you're talking about pages from within or without your control. From within, session variables and breadcrumbs are trivial, from without, well, it's REFERER or nothing really.

[Edit] So there are some reasons for REFERER being not totally trustworthy, but mostly that's not likely and it's the best you've got.

Unsliced
It in client's control. So it's a session variable or the like or nothing
Vinko Vrsalovic
REFERER can be disabled in most browsers, and can be faked.
Unkwntech
+8  A: 

The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.

If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.

Seldaek
If you want to use this method, you should still check the referrer as well to prevent CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery
John Isaacks
A: 

When generate the pages from which the ajax gets called:

  • include a parameter in the ajax call containing the current displayed page

p.e. with JQuery

$.ajax({
  type: "GET",
  url: "ajaxhandler.php?referrer=<referrer>",
  dataType: "script"
});

Replace referrer by the url of the currently displayed page (or the template name or whatever helps you identify the page)

Andre Bossard
What prevents someone from spoofing this too? You've just moved the spoofable referer string to a different place in the HTTP request.
Tim Farley
+1  A: 

There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.

gizmo
+1  A: 

Maybe one of these links will help you. They are not about referer, but more reliable methods of doing what you probably want to do with referer.

phjr
+1  A: 

A possible way is to put a unique key (eg. a GUID) in one field of your page, and send it back in the next request.

PhiLho
A: 

In this case the spoofer wouldn't know to place the get into the page when coming from outside. Also only you know which pages you are sending if from, so if the referrer is false you program logic would know that.

Unauthorized page calls could easily then be redirected anywhere want them to go moving them away from your protected page. Also, you could just as easily use POST thereby rendering it unknown that you are even calling it. Encrypting the form would also keep out prying eyes

uh, there are ways to read post data pretty easily, yeah?
Tchalvak
A: 

Use cookies or session to authenticate the user.

Jeroen van der Tuin