Detecting Ajax in PHP and making sure request was from my own website
Let you Controller
- generate access token
- store in session for later comparison
In your View
- declare the access token as JS variable
- send the token with each request
Back in your Controller
- validate HTTP_X_REQUESTED_WITH
- validate token
Check these security guidelines from OpenAjax.
Also, read the article on codinghorror.com Annie linked.
Using AJAX, is the request source the web server making the call, or the client browser?
AJAX request is performed by the browser, so your client should be inside intranet to get necessary data.
How to make sure ajax is used or not?
if ($_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest')
{
// This is an AJAX request
}
How to check if the request is an AJAX request with PHP
There is no sure-fire way of knowing that a request was made via Ajax. You can never trust data coming from the client. You could use a couple of different methods but they can be easily overcome by spoofing.
Detect Ajax calling URL
Most well-known Ajax frameworks like jQuery and mooTools add a specific header which you can check with PHP:
if (strcasecmp('XMLHttpRequest', $_SERVER['HTTP_X_REQUESTED_WITH']) === 0)
{
// Ajax Request
}
How to find out if a request is an ajax request?
There's no 100% way to detect if the request was made via ajax. Even if someone sends header with "X-Requested-With: XMLHttpRequest" you shouldn't rely on it.
Detect an ajax request
Using jQuery, you can use $_SERVER['HTTP_X_REQUESTED_WITH']
which will be set to "XMLHttpRequest." This is the most reliable method when using jQuery.
How to make sure a request is sent from original software?
I have some experience with this myself. I've been building an extension with a login and eventually came to the inevitability that security in an extension is inherently difficult.
The issue is that an extension is just a bundle of JS and HTML that anyone can inspect the values of. This means that anyone determined enough to dig through your code can potentially find out how to bypass anything you have built in.
The solution I eventually came to is that, the extension itself cannot hold any long-lasting secrets. A session with a timeout is the only safe thing to store. The actual login for my extension is done via a website over HTTPS.
If you are trying to do this without any such login, your only recourse is to make it as difficult as possible to determine what needs to be sent by using an algorithm that can generate server verifiable tokens, and then only publishing minified code to the webstore.
EDIT: Reread the question and noticed that you said you are doing this open source. Without some sort of authentication on the webserver via HTTPS, there is little you can do to stop those determined to bypass your protections because they will be on display in your public repository.
Related Topics
How to Enable PHP to Work with Postgresql
Issue in Installing PHP7.2-Mcrypt
Create New Xml File and Write Data to It
How to Render Zf2 View Within JSON Response
How to Paginate a Merged Collection in Laravel 5
How to Alias the Name of a Column in Eloquent
How to Execute PHP Code Within JavaScript
Php/Symfony/Doctrine Memory Leak
PHP Simple Foreach Loop with HTML
Increase Days to PHP Current Date()
Send Xml Data to Webservice Using PHP Curl
Setting a PHP Script as a Windows Service
Run a PHP Script Every Second Using Cli
Php: Split String into Array, Like Explode with No Delimiter
Wampserver PHPmyadmin Maximum Execution Time of 360 Seconds Exceeded