PHP and AJAX security question

Question

I am currently building a web app in which PHP files are loaded into a main file using jQuery's $.ajax function. However, the PHP files are obviously still accessible outside of the app, by just typing the files name in the address bar.

So my question is what would be the best way to make it so that the PHP file being 'ajaxed' in knows that it is contained in the correct page and will function correctly, but if it is accessed in any other way (even if someone were to make they're own website and AJAX in my PHP file) then the file should say "access denied" or something.

Thanks in advance

Answer 1

Concluded Answer after googling a lot !

Step-1 : Generate Token System For All Web-Service:

Generating Token :

<?php   session_start();   $token = md5(rand(1000,9999)); //you can use any encryption   $_SESSION['token'] = $token; //store it as session variable ?> 

Step-2 : Use it while sending ajax call:

var form_data = {   data: $("#data").val(), //your data being sent with ajax   token:'<?php echo $token; ?>', //used token here.   is_ajax: 1 };  $.ajax({   type: "POST",   url: 'yourajax_url_here',   data: form_data,   success: function(response)   {     //do further   } }); 

Step-3 : NOW, Let's secure ajax handler PHP file with,

session_start(); //most of people forget this while copy pasting code ;) if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {   //Request identified as ajax request    if(@isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="http://yourdomain/ajaxurl")   {    //HTTP_REFERER verification     if($_POST['token'] == $_SESSION['token']) {       //do your ajax task       //don't forget to use sql injection prevention here.     }     else {       header('Location: http://yourdomain.com');     }   }   else {     header('Location: http://yourdomain.com');   } } else {   header('Location: http://yourdomain.com'); } 

NOTE: SORRY FOR NESTED IF..ELSE, BUT IT INCREASES UNDERSTANDABILITY. YOU CAN SIMPLIFY ALL THREE IN ONE IF ELSE. 85% Security Enhanced !

Answer 2

Quoting Eran Galperin from a similar discussion

As others have said, Ajax request can be emulated be creating the proper headers. If you want to have a basic check to see if the request is an Ajax request you can use:

if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {  //Request identified as ajax request } 

However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.

Please take this answer by Jeremy Ruten also into account:

There is no way of guaranteeing that they're accessing it through AJAX. Both direct access and AJAX access come from the client, so it can easily be faked.

Why do you want to do this anyways?

If it's because the PHP code isn't very secure, make the PHP code more secure. (For example, if your AJAX passes the user id to the PHP file, write code in the PHP file to make sure that is the correct user id.)

More clever thoughts in the discussion linked above.