3

On my website I have a registration page which makes an AJAX request to check if a username is available after it has been entered. This file is called check.php and is in the same directory as the registration.php file. When data is posted to check.php it will perform a query at a MySQL database and return how many users it found with that username.

If anybody were to post data to the check.php file they would see the result, too. I need to stop this somehow, I've read on a few answers I need to "authenticate" each request. This is probably a very large topic although I'm not too sure what to search for to find more about it. Is authenticating each request a good way to stop unnecessary username checks? If so I would really appreciate it if anyone could point me in the right direction as to how to do this.

lethal-guitar
  • 4,438
  • 1
  • 20
  • 40
jskidd3
  • 4,609
  • 15
  • 63
  • 127
  • 1
    Since you use it on a registration page, I assume the "user" who "legally" use this PHP is not a registered client? So _anyone_ can go to your page and perform some input and get the return. If that's true, what's the point of "securing" it? – Passerby Oct 21 '13 at 09:52
  • @Passerby You are right, I used a stupid example. For the purpose of the question if you could assume it was something that did need securing I would appreciate that. :) – jskidd3 Oct 21 '13 at 09:54

5 Answers5

8

A solution is to generate a unique token in session, and put it in all pages that will contain a form. Post this token on each AJAX request you make. It is called CSRF protection, Cross-Site Request Forgery.

You can add a protection layer checking the user referer in HTTP headers.

Telmo Marques
  • 5,066
  • 1
  • 24
  • 34
netvision73
  • 4,831
  • 1
  • 24
  • 30
  • 1
    Do you have a link at all that you could maybe back this up with? It sounds like a good answer but would need to read more about it. – jskidd3 Oct 21 '13 at 10:00
  • 1
    That will be a solution for checking request from another domain. But authenticated valid user will still be able to break this easily. – Alma Do Oct 21 '13 at 10:01
3

Answer for common case: no - you can't prevent this, since AJAX is just an HTTP-request. It can be sent no matter how you'll protect your server. So if the point is - to protect from 'evil hackers' - there's no way to do this. The correct though is to check/validate anything on server side.

But is it's about only basic check, you can read 

if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])=='xmlhttprequest')

-but be aware - this is also a data, which came from client i.e. it can't be trusted (actually, it's just HTTP-request header, nothing more)

Alma Do
  • 37,009
  • 9
  • 76
  • 105
  • Thanks for your answer. Is this fully secure though, like you say the HTTP request can be manipulated right? Is there a way to get around this? – jskidd3 Oct 21 '13 at 09:50
  • Like I've said. You can do just _basic check_ - but you can't rely on any data came from client. You must say to yourself: **all client data is evil, they are all evil hackers!** - and act according to that. – Alma Do Oct 21 '13 at 09:51
  • Exactly my point, this solution is good but doesn't treat all users like they are hackers. I could be a hacker and manipulate the HTTP request, this solution would then be worthless? – jskidd3 Oct 21 '13 at 09:53
  • So you should just admit: if someone want to get your data from AJAX in plain (i.e. not from your application) - he will. It's ok, there's nothing to worry about unless your security is built on the fact, that 'AJAX request are secure requests' (so you should treat AJAX request as just any other request) – Alma Do Oct 21 '13 at 09:55
  • Yes that definitely sounds right for this situation. But what if better security was needed? For example a game where the points where sent via AJAX at the end of the game to be added to a leaderboard? Whilst it doesn't really matter with checking usernames, I'd like to know how to get around it if it were something more serious like that. – jskidd3 Oct 21 '13 at 09:58
  • Then just realize: you've chosen wrong tool for implementing your logic. You can't rely on AJAX requests anyway. If your application logic can't be implemented without relying on security in AJAX, you're doing something wrong. – Alma Do Oct 21 '13 at 10:00
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/39634/discussion-between-jskidd3-and-alma-do-mundo) – jskidd3 Oct 21 '13 at 10:01
0

I think you can create a Session variable when the user logs in your aplication and check if this variable has the correct value whe you post something to your 'check.php' file to check if your user is previous authenticate

user2891084
  • 111
  • 4
0

Missing a lot of info but conceptually I am not sure you are worrying about a real risk. Bottom line is that people can use your form to check if emails exist so it's logical they can use check.php as well. Would be overkill to try and prevent that.

Mika
  • 5,807
  • 6
  • 38
  • 83
  • Ok but concept is still there, if this was another file that did require authentication, what then? – jskidd3 Oct 21 '13 at 09:50
  • Once you are passed the login then you can authenticate each request either through the session info or embedding the info in the request. For example if you are writing an API, you can include username and password in each request or if you are showing user specific information you can look at the session info. If the authentication fails then you deny the request and say there is a login/password mismatch. – Mika Oct 21 '13 at 10:08
0

I have one think - you can generate some unique token, store it on SESSION before show the page. Than on each checking you must to add this token to request. check.php must regenerate token and return it new.

But each request can emulate and it not protect you from people, which want to know results of check.php. Nothing protect...

Also you can make mechanism for analyzing ip request for checking

CreatoR
  • 1,654
  • 10
  • 14