What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER']
, because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.
Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.
views:
5372answers:
8If you can't trust the REFERER variable (and (generally) why wouldn't you), it depends on whether you're talking about pages from within or without your control. From within, session variables and breadcrumbs are trivial, from without, well, it's REFERER or nothing really.
[Edit] So there are some reasons for REFERER being not totally trustworthy, but mostly that's not likely and it's the best you've got.
The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.
If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.
When generate the pages from which the ajax gets called:
- include a parameter in the ajax call containing the current displayed page
p.e. with JQuery
$.ajax({
type: "GET",
url: "ajaxhandler.php?referrer=<referrer>",
dataType: "script"
});
Replace referrer by the url of the currently displayed page (or the template name or whatever helps you identify the page)
There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.
Maybe one of these links will help you. They are not about referer, but more reliable methods of doing what you probably want to do with referer.
A possible way is to put a unique key (eg. a GUID) in one field of your page, and send it back in the next request.
In this case the spoofer wouldn't know to place the get into the page when coming from outside. Also only you know which pages you are sending if from, so if the referrer is false you program logic would know that.
Unauthorized page calls could easily then be redirected anywhere want them to go moving them away from your protected page. Also, you could just as easily use POST thereby rendering it unknown that you are even calling it. Encrypting the form would also keep out prying eyes