tags:

views:

132

answers:

6
Q: 

Website security question with PHP? (Probably applies to ASP/Rails/etc.. too)

Say, I have "index.htm" and "routines.php".

"index.htm" will call eventually call "routines.php" using JS (AJAX).

So, my question is, how can "routines.php" verify that the request came from the same local server and not outside? Is there a global variable I can check at PHP level or HTTP level?

Edit 1: Using AJAX

+1  A: 

If the call is made in JavaScript (i.e., on the client), you really can't do anything to definitely prevent someone from simulating a request from index.htm, even if you check the Referer (sic) header.

If the request is made on the server side, you could use some kind of key.

You can of course generate a key on the client side too, but this security measure can be imitated by anyone to simulate a request from index.htm.

Blixt  2009-06-10 14:59:42
A: 

Use the HTTP_REFERER server variable:

echo $_SERVER['HTTP_REFERER']

With this you can know if the request comes from the server you want.

backslash17  2009-06-10 15:00:58
It's very easy to spoof the HTTP Referer header.
Ionuț G. Stan  2009-06-10 15:02:31
$_SERVER['HTTP_REFERER'] is bad practice. you can't safely relay on this information.
Philippe Gerber  2009-06-10 15:02:47
It could stop http://en.wikipedia.org/wiki/Cross-site_request_forgery though?
Arjan  2009-06-10 21:29:10
+2  A: 

To answer your question with another question: how would you invoke getdata() using a browser?

(So: no need to worry.)

Arjan  2009-06-10 15:01:20
Forgot to mention, using AJAX :P
Atlas  2009-06-10 15:03:36
still. when i open routines.php in my browser and the function is only defined in this file, nothing is gonna happen. and at the position where you call the function, you should have already verified whether the function can be called or not.
Philippe Gerber  2009-06-10 15:06:45
yep, opening routines.php from any browser won't do anything. But what if, someone make a similar index.htm, and it calls getdata() from my routines.php, the request is considered valid, no?
Atlas  2009-06-10 15:11:11
Even with Ajax you can only request routine.php, and not getdata() directly -- can you? Please show us some code then... But basically you cannot prevent someone from calling your Ajax methods. Even if you have some session and authentication in place, then still someone could first authenticate to get that session, and then invoke your Ajax calls. (We need more info for a detailed answer.)
Arjan  2009-06-10 15:40:39
+3  A: 

You may forget about the Ajax part as it's not really part of the problem. You should read about Cross Site Request Forgeries (CSRF) and CSRF tokens. Some links:

Ionuț G. Stan  2009-06-10 15:08:25
thanks, i'll check them out.
Atlas  2009-06-10 15:13:28
A: 

As others pointed out, it would be pretty difficult given your original specification. However, if you can change the index.htm to be index.php and have it output the same content as index.htm, you can also put in additional tokens for session management (e.g. Cookies - yes I know they are easy to spoof too :) and reject the call to getdata() if the tokens don't match.

 2009-06-10 15:12:50
+1  A: 

you could use a session key:

index.htm

<?php

$_SESSION['safe_key'] = true;

?>
javascript code here

routines.php

<?php
if (!isset($_SESSION['safe_key'])) {
   die('from outside');
}

function getdata() { ... }
?>

Basically what happens is when index.htm is called a session safe key is created. Sessions are serverside only. In routines.php if the safe key does not exist, the code was not called from index.htm. If it does exist, run code.

Ozzy  2009-06-10 15:16:20
...still nothing prevents someone from sending the session cookie that is received by simply requesting index.html once.
Arjan  2009-06-10 15:46:38
you could use session_regenerate_id() to stop that happening :)
Ozzy  2009-06-10 19:08:56
...and then one would simply send that new cookie value (received when the Ajax call completes) along with the next request... :-) (Too bad we'll never know what Atlas was trying to avoid here.)
Arjan  2009-06-11 15:03:34
I ment call session_regenerate_id after every request to routines.php :P
Ozzy  2009-06-11 16:15:14
Yes, but then still the Ajax response would include the new cookie?
Arjan  2009-06-12 10:35:22
Not quite. If the "hacker" gets ahold of the old session id, using it to request routines.php wont get it to send a new session id. Php will only send the new id once and that would be for the first and only request which would be done by index.php
Ozzy  2009-06-12 16:58:56

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases