Securing an ajax request

Question

i have a website that uses session cookies for security. it works fine and all, but any ajax requests right now are not secure. example being lets say a user is on a page. they can only get to this page if they are logged in with a session - so far so good. but now the ajax request they ask for is

ajaxpages/somepage.php?somevar=something&anothervar=something

if any other user decides to just go to that link themselves (without a session) they still get the same ajax output that was meant for logged in people.

so obviously im going to have to pass session data across when i send an ajax request. anyone have any tips for the best way of doing this? ive never done this before and would rather use trusted methods than make up my own.

Answer 1

php, no framework.

Answer 2

The ajax requests work just like any other request to your website and should return the same session cookies as the non-ajax request. This is pointed out in this question. If you aren't getting the session cookie, perhaps something else is wrong.

Answer 3

Use the same security check on the pages that handle the ajax request.

Answer 4

Since that is a PHP page, I don't see why you couldn't perform authentication on the PHP side. If authentication is successful, send back the data. Otherwise, send back an error message. AJAX aren't that different from any other request.

Answer 5

thanks kibee. that was an awesome 5 second fix to what i thought was a huge security problem. i would give you points but i refuse to make an openid account.

Answer 6

Having an ajax output isn't necessarily a vulnerability. It entirely depends on what data is being transmitted. I am not sure what platform you are using, but most web application development platforms have a session variable that can maintain state between requests.

What you should have in place is way of marking the user as being logged in from the server side. I php this would look like:

if(login($user,$password)){
   $_SESSION['logged_in']=true;
}

Then you can check in a header file if they are allowed to access the page:

if(!$_SESSION['logged_in']){
   header("location: http://127.0.0.1/");
   die();
}

(If a variable isn't set it is also false.)

There are a few things you need to keep in mind. This is a vulnerability:

if(!$_COOKIE['logged_in']){
   header("location: http://127.0.0.1/");
   die();
}

The user can control $_COOKIE, so they can tell you that they are logged in.

Another vulnerability:

if(!$_COOKIE['logged_in']){
   header("location: http://127.0.0.1/");
}

header() doesn't kill the script. In fact it still runs, so it will still output but it won't be displayed in a browser, you can still use netcat/telnet/wireshark to see the data.

Answer 7

because im a fag and would rather have a stack overflow-specific account. i just dont like the idea of signing up somewhere else to sign up somewhere else.