What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER'], because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.
Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.
views:
5372answers:
8
A:
If you can't trust the REFERER variable (and (generally) why wouldn't you), it depends on whether you're talking about pages from within or without your control. From within, session variables and breadcrumbs are trivial, from without, well, it's REFERER or nothing really.
[Edit] So there are some reasons for REFERER being not totally trustworthy, but mostly that's not likely and it's the best you've got.
Unsliced
2008-10-03 07:24:28
It in client's control. So it's a session variable or the like or nothing
Vinko Vrsalovic
2008-10-03 07:30:04
REFERER can be disabled in most browsers, and can be faked.
Unkwntech
2008-10-03 07:44:27
+8
A:
The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.
If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.
Seldaek
2008-10-03 07:33:54
If you want to use this method, you should still check the referrer as well to prevent CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery
John Isaacks
2010-09-13 14:15:58
A:
When generate the pages from which the ajax gets called:
- include a parameter in the ajax call containing the current displayed page
p.e. with JQuery
$.ajax({
type: "GET",
url: "ajaxhandler.php?referrer=<referrer>",
dataType: "script"
});
Replace referrer by the url of the currently displayed page (or the template name or whatever helps you identify the page)
Andre Bossard
2008-10-03 07:34:58
What prevents someone from spoofing this too? You've just moved the spoofable referer string to a different place in the HTTP request.
Tim Farley
2008-10-03 12:26:21
+1
A:
There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.
gizmo
2008-10-03 07:36:25
+1
A:
Maybe one of these links will help you. They are not about referer, but more reliable methods of doing what you probably want to do with referer.
phjr
2008-10-03 10:27:22
+1
A:
A possible way is to put a unique key (eg. a GUID) in one field of your page, and send it back in the next request.
PhiLho
2008-10-03 12:49:07
A:
In this case the spoofer wouldn't know to place the get into the page when coming from outside. Also only you know which pages you are sending if from, so if the referrer is false you program logic would know that.
Unauthorized page calls could easily then be redirected anywhere want them to go moving them away from your protected page. Also, you could just as easily use POST thereby rendering it unknown that you are even calling it. Encrypting the form would also keep out prying eyes