I am developing one site, and I want to ensure that Ajax requests which are older than 5 minutes are not executed. This means that I want to execute only fresh Ajax requests. How can I do this?
This tells you the time on the client. That is not a value you should ever trust.
jmucchiello
2009-06-04 06:18:36
I disagree. Given that the OP has not said what this is being used for, it is premature to assume a few extra requests are a problem.
Matthew Flaschen
2009-06-04 06:34:30
+4
A:
I supposed you could send a timestamp to the page as a JS variable, and then include it as part of the AJAX request - then compare the two
<script type="text/javascript">
// Using JQuery
$.post( 'process.php', {generatedTime:<?php echo time(); ?>}, function(data){} );
</script>
And then, in process.php
<?php
if ( ( time() - $_POST['generatedTime'] ) > 300 )
{
// Request made over 5 minutes past generation of page
}
Peter Bailey
2009-06-04 06:11:46
This does something different from mine. This will basically block any AJAX requests 5 minutes after the page is served. Perhaps the OP can clarify which (if either) he means.
Matthew Flaschen
2009-06-04 06:15:30
This can be gamed. You need to also send a hash (plus salt) of the time you sent to the client so you can verify they user is messing with you. When you receive the request you have to rebuild the hash (you saved the salt in the session) to verify that "generatedTime" is actually the value you sent to the client and not a value made up the client.
jmucchiello
2009-06-04 06:17:50
@mucchiello - yes indeed. But If I filled out every response here on SO with all the necessary caveats and security checks and whatnot, I'd never get any real work done ;)
Peter Bailey
2009-06-04 06:20:42
Ah, but jmucchiello, that will still allow replay attacks within a single session!
Matthew Flaschen
2009-06-04 06:32:40