Detecting Ajax in PHP and Making Sure Request Was from My Own Website

  • Home
  • Languages
  • PHP
  • Detecting Ajax in PHP and Making Sure Request Was from My Own Website

Detecting Ajax in PHP and making sure request was from my own website

Let you Controller

  • generate access token
  • store in session for later comparison

In your View

  • declare the access token as JS variable
  • send the token with each request

Back in your Controller

  • validate HTTP_X_REQUESTED_WITH
  • validate token

Check these security guidelines from OpenAjax.

Also, read the article on codinghorror.com Annie linked.

Using AJAX, is the request source the web server making the call, or the client browser?

AJAX request is performed by the browser, so your client should be inside intranet to get necessary data.

How to make sure ajax is used or not?

if ($_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest')
{
    // This is an AJAX request
}

How to check if the request is an AJAX request with PHP

There is no sure-fire way of knowing that a request was made via Ajax. You can never trust data coming from the client. You could use a couple of different methods but they can be easily overcome by spoofing.

Detect Ajax calling URL

Most well-known Ajax frameworks like jQuery and mooTools add a specific header which you can check with PHP:

if (strcasecmp('XMLHttpRequest', $_SERVER['HTTP_X_REQUESTED_WITH']) === 0)
{
    // Ajax Request
}

How to find out if a request is an ajax request?

There's no 100% way to detect if the request was made via ajax. Even if someone sends header with "X-Requested-With: XMLHttpRequest" you shouldn't rely on it.

Detect an ajax request

Using jQuery, you can use $_SERVER['HTTP_X_REQUESTED_WITH'] which will be set to "XMLHttpRequest." This is the most reliable method when using jQuery.

How to make sure a request is sent from original software?

I have some experience with this myself. I've been building an extension with a login and eventually came to the inevitability that security in an extension is inherently difficult.

The issue is that an extension is just a bundle of JS and HTML that anyone can inspect the values of. This means that anyone determined enough to dig through your code can potentially find out how to bypass anything you have built in.

The solution I eventually came to is that, the extension itself cannot hold any long-lasting secrets. A session with a timeout is the only safe thing to store. The actual login for my extension is done via a website over HTTPS.

If you are trying to do this without any such login, your only recourse is to make it as difficult as possible to determine what needs to be sent by using an algorithm that can generate server verifiable tokens, and then only publishing minified code to the webstore.

EDIT: Reread the question and noticed that you said you are doing this open source. Without some sort of authentication on the webserver via HTTPS, there is little you can do to stop those determined to bypass your protections because they will be on display in your public repository.


Related Topics

How to Enable PHP to Work with Postgresql

Issue in Installing PHP7.2-Mcrypt

Create New Xml File and Write Data to It

How to Render Zf2 View Within JSON Response

How to Paginate a Merged Collection in Laravel 5

How to Alias the Name of a Column in Eloquent

How to Execute PHP Code Within JavaScript

Php/Symfony/Doctrine Memory Leak

PHP Simple Foreach Loop with HTML

Increase Days to PHP Current Date()

Get Domain Name from Full Url

Save Array in MySQL Database

Send Xml Data to Webservice Using PHP Curl

Setting a PHP Script as a Windows Service

Run a PHP Script Every Second Using Cli

Php: Split String into Array, Like Explode with No Delimiter

Wampserver PHPmyadmin Maximum Execution Time of 360 Seconds Exceeded

How to Pass Variables from JavaScript to PHP


Leave a reply



Submit