mario ruggier wrote:
Is such a way to filter out (most of the) illegitimate requests to
service callbacks a good idea ?
Other ideas of how to achieve this in a reasonable, and simple, way ?
For browsers that do not set the HTTP_REFERER variable for
xmlhttpreqobject calls, should mochikit check for it and rectify it ?
I assume you can use 'sessions' to handle the security. As far as I know
xmlhttprequest calls can get cookies set by the session manager. So a
simple example in PHP would be :
//put this on a the script serving the page so we create a new session
for each client
session_start();
$_SESSION['active'] = true;
session_write_close();
//put this on the public functions
session_start();
if (! $_SESSION['active']) die('Wrong session!');
I guess this will fail if cookies are disabled on the client side.