0

I have domains and sub domains like bellow

http://www.my-web.com
http://admin.my-web.com
http://client.my-web.com
http://staff.my-web.com

And now i have php pages like bellow for get request(POST or GET) and process.

http://www.my-web.com/process.php
http://admin.my-web.com/process.php
http://client.my-web.com/process.php
http://staff.my-web.com/process.php

So when i post some data via AJAX POST from http://www.my-web.com/index.php to http://client.my-web.com/process.php it should accept.

Suppose if someone post on http://client.my-web.com/process.php from http://their-domain.com/hack.php via AJAX POST It should get restrict.

rkaartikeyan
  • 1,977
  • 9
  • 29
  • 57
  • [How to prevent cross-domain ajax requests?](http://stackoverflow.com/questions/6347881/how-to-prevent-cross-domain-ajax-requests) or [Why the cross-domain Ajax is a security concern?](http://stackoverflow.com/questions/466737/why-the-cross-domain-ajax-is-a-security-concern) or [How to stop other website to send cross domain ajax requests?](http://security.stackexchange.com/questions/44394/how-to-stop-other-website-to-send-cross-domain-ajax-requests) – gloomy.penguin Nov 13 '13 at 22:08
  • Thanks for the reply @user623952 but still my problem not get solved. how can i create access token? – rkaartikeyan Nov 13 '13 at 22:10
  • In addition to cross-domain AJAX considerations, when you are talking about POSTed data, you should probably also be overlying standard cross-site request forgery CSRF protections as well. – Mike Brant Nov 13 '13 at 22:18
  • @MikeBrant thanks for the reply... i totally blind on this. so don't know about CSRF protections or overlying standard cross-site. – rkaartikeyan Nov 13 '13 at 22:24
  • 1
    @rkaartikeyan Typically your make cross-site origin configurations on your server to determine whether you will allow cross-domain AJAX> IN addition to that, if you are doing things like POSTing data (for instance for updating a data store or similar) you might also want to employ standard CSRF protections such as session tokens to validate that the POST is coming to you from a valid session. – Mike Brant Nov 13 '13 at 22:28
  • These really too broad of a topic to answer here concisely, so you really need to read up on this (some of the provided links are a good start). – Mike Brant Nov 13 '13 at 22:30
  • @MikeBrant i could understood that we need to make some session tokens. but how in coding? if i posting a ajax form from www.my-domain.com/index.php to client.my-domain.com/process.php how can i make session token? i have tried like this. In index.php i create a session variable like $_SESSION['token'] = '112343'; When i validate it on client.my-domain.com/process.php its telling $_SESSION['token'] is not found. – rkaartikeyan Nov 13 '13 at 22:49
  • @rkaartikeyan You are getting into basics of session handling, which it seems you may not be familiar with. I think this requires research on your part. – Mike Brant Nov 13 '13 at 22:53
  • @MikeBrant thanks for your time. will research my self. – rkaartikeyan Nov 13 '13 at 22:54

0 Answers0