0

It's rare, but I have to pay MS a compliment: the ASP.NET WebMethod (AJAX) authorization is a dream, regarding my desire for security and laziness.

Encosia's ASP.NET page methods are only as secure as you make them absolutely fits those needs. ASP.NET is actually workable for me now. Free at last! (From the noble but disastrous AJAXControlToolkit).

Anyways, the problem is, that's for work. I'm not buying the MS architecture when LAMP's out there for free. I'm new to AJAX, and I can't seem to find a clear answer on how to authorize AJAX calls to PHP in the same way as Encosia above.

Can anyone suggest the PHP equivalent of what Encosia does in the link above?

Thanks in advance!

More Details

OK, let me be more specific. Encosia's solution above gives 401 denied to anyone not logged in trying to access a webmethod. Neat, clean, easy. Before, I tried to user session data to give access, but it, unknowingly to me, forced synchronous mode. Nono.

I need both, for my site. I need to be able to give 401 denieds on certain pages if a user isn't logged in. I need to be able to allow anyone to call other phps via ajax regardless of login.

Clarity

Bottom line: I don't want anyone accessing certain AJAX PHPs unless if they are logged in. I don't care what the response or any other details as long as its' still AJAX. How to?

  • is this how? http://stackoverflow.com/questions/676846/do-ajax-requests-retain-php-session-info –  Sep 30 '12 at 17:31

1 Answers1

1

Not really clear from the question, but if you want to only allow access to your AJAX server side listening scripts (maybe XML or JSON output) to users that have either authed or are on the related page,then how about adding a session identifier to your JS AJAX requests? In the server side script you can check that identifier against maybe a DB table holding your current sessions.

For extra security, you could check against IP, a cookie etc. These are all values that you can set when the session is started.

The main thing you need to ask yourself is this:

If a user is either logged in or browsing, what kind of access to the database do you really want / need to give? Each application will have its own needs. If you are going to have AJAX listeners on your server, then all that's needed is a quick look at Firebug (example) to see where your scripts are and the format of the requests. This could allow a potential security hole to be found. Make sure all your incoming requests are correctly treated so as to remove the possibility of injection attacks.

Nick
  • 908
  • 12
  • 29
  • thank you for your help. i added an edit for more specifics as to what i need. bottom line, how do i give 401 denied on a php ajax page if a user isn't logged in. some ajax phps need to be off-limits. again, thanks for your help! –  Sep 30 '12 at 17:55
  • funnily enough I just answered a question about 401 a moment ago: http://stackoverflow.com/questions/12663519/understandin-php-404-redirection-related-to-invalid-get-request/12663584#12663584 I suggest a simple function in that answer, the same could be applied in your scenario, add wahts needed to the function, like set the php header to 401 etc. I assume you have a login script that handles auth for your isers, so add that error_401() there in the fail scenario – Nick Sep 30 '12 at 18:23
  • again, thank you for your time. i should've been more specific. I want to be able to deny people access to AJAX PHPs if they aren't logged in. how to? –  Sep 30 '12 at 18:32
  • i guess your server side ajax handler is written in PHP, use the auth method I suggested in my original answer to determine if the server side part of your AJAX should output data or not. No need to do much client side, its the server you need to protect! – Nick Sep 30 '12 at 18:34
  • thank you very much. could you edit your answer to provide a brief code example? –  Sep 30 '12 at 18:39
  • is it just as simple as testing for isset($_SERVER['PHP_AUTH_USER'])? –  Sep 30 '12 at 18:53
  • never used this, always use my own. I suggest you read http://php.net/manual/en/features.http-auth.php. Cant really provide you any code examples.. if you need a dev, then drop me a pm! – Nick Sep 30 '12 at 19:02