mario ruggier wrote:
Is such a way to filter out (most of the) illegitimate requests to service callbacks a good idea ?I assume you can use 'sessions' to handle the security. As far as I know xmlhttprequest calls can get cookies set by the session manager. So a simple example in PHP would be :Other ideas of how to achieve this in a reasonable, and simple, way ?For browsers that do not set the HTTP_REFERER variable for xmlhttpreqobject calls, should mochikit check for it and rectify it ?
//put this on a the script serving the page so we create a new session for each client
session_start();
$_SESSION['active'] = true;
session_write_close();
//put this on the public functions
session_start();
if (! $_SESSION['active']) die('Wrong session!');
I guess this will fail if cookies are disabled on the client side.
