[PHP] PHP sessions, AJAX, authentication and security.
Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance.
Re: [PHP] PHP sessions, AJAX, authentication and security.
You could use a one time token on each request Bastien Sent from my iPod On Nov 21, 2009, at 6:30 AM, Angus Mann angusm...@pobox.com wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/ authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions, AJAX, authentication and security.
At 9:30 PM +1000 11/21/09, Angus Mann wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. Angus: First, don't trust anything that comes from the client -- period. Second, Ajax is just another way to send stuff to the server. When the data gets to the server then authenticate and set a session variable to indicate such. This is not rocket science, but if you don't do it right you'll leave a crater. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
