3

I have one controller which I use for ajax calls, so in jQuery I have something like:

$.ajax({ 
  type: 'POST',
  url: '<?php echo base_url().'ajax/post_message'; ?>',
  data: { message: msg }
}).done(function(data) { 
    // handling callback here               
});

here ajax/post_message is working ok, but it's also accessible from URL directly.

How can I prevent this, should place ajax file somewhere else? If so, which url I can use to access it

zarkoz
  • 287
  • 5
  • 15
  • 2
    can you add code something like is_ajax_request to that function/page – arun Oct 25 '12 at 14:10
  • yes, thank you very much, I didn't notice this method before. I think this will do the work :) thanks a lot – zarkoz Oct 25 '12 at 14:13
  • **Possible duplicate** : http://stackoverflow.com/questions/8121997/ajax-requests-not-open-to-everyone – arun Oct 25 '12 at 14:16
  • See [**this answer**](http://stackoverflow.com/a/1756970/1407478) for the correct solution to this particular problem; see [**this answer**](http://stackoverflow.com/a/23608173/1407478) for a practical example (a proxy used by ajax calls that should not be accessible directly or remote and just return a 403) – davidkonrad Feb 12 '15 at 21:00

5 Answers5

2

If you want to use it for Ajax, then the browser has to be able to access it.

If the browser has to be able to access it then the URI cannot be a secret.

If you want to limit its use to certain people, then you can only use authentication+authorization (so only logged in users can access it).

(You could also look at rate limiting based on IP address to make it harder for third party sites to make use of the API directly)

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • IP is as good as looking at the referer, as my (now downvoted) suggestion. It is a no brainer to tell it is not possible, think zarkoz know that, like "hiding" images - the goal is obvoisly to protect the response from the ajax, not the ajax-url itself. – davidkonrad Oct 25 '12 at 15:55
1

No, because technically Ajax query is just simple HTTP get/post request

Maxim
  • 1,566
  • 10
  • 13
1

You could implement a number used once (nonce) system like WordPress does. Pretty much the server assigns the client a number. When the client sends the request back to the server it also sends the nonce. The server checks the nonce received against ones that it has previously assigned. If the nonce is valid than the server processes the request and discards the nonce (because it has been used once and is no longer valid). If the nonce sent to the server is not valid, or not sent, then the server does not process the request.

You could expand this nonce process to your liking, maybe a nonce is only valid for a certain amount of time... who knows.

Some resources explaining how it's used in WordPress: http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/

http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces

http://www.techytalk.info/securing-your-wordpress-plugin-ajax-calls-using-nonces/

jeremysawesome
  • 7,033
  • 5
  • 33
  • 37
  • This only protects against CSRF. It won't stop a third party site requesting a nonce and then hitting the API directly from their server. – Quentin Oct 25 '12 at 14:44
0

Try to using sessions to control who can access to ajax url, because to hide url in ajax is not possible.

aaronroman
  • 820
  • 1
  • 6
  • 10
0

You can use is_ajax_request() it will return true/false

http://codeigniter.com/user_guide/libraries/input.html

RamiroRS
  • 461
  • 3
  • 4