3

I have a project where users have their own user pages which consists of blocks which are editable (they can be moved around and their content can be changed). Content of these blocks (currently mostly text) etc. are stored in a mysql database. Whole editing is done by mypage-editing.js script. After user saves the changes he has done page-editing.js sends an ajax post call to save-page.php (data is an array of block objects, username and page name) which inserts received data to mysql database.

My questions is:

How can I prevent "inappropriate" post calls to my save-page.php, because as far as I know anyone can send calls to it. Will it be enough if in save-page.php I check that login sessions has started an session has right username in it?

John Kugelman
  • 349,597
  • 67
  • 533
  • 578
Kaltsoon
  • 325
  • 1
  • 3
  • 8
  • 9
    How would you prevent "inappropriate post calls" to a non-AJAX version of this? The same measures apply to AJAX requests. – David Nov 18 '13 at 14:32
  • 2
    Use the SESSION - on page load, set a session var and use the same var in a hidden input in your form. Check that the two values match in the ajax script, problem more or less solved. – What have you tried Nov 18 '13 at 14:35
  • 1
    I would assume that you are doing the following things. (1) Using sessions for securing your CMS. (2) Posting the page ID to be edited to `save-page.php` (3) Making sure the user is logged in (4) Making sure the user has permissions to edit/save the page in question. (5) Checking if the request is an AJAX call and transmitting the proper response (I send either JSON or return a PHP array for further use by other PHP classes) – MonkeyZeus Nov 18 '13 at 15:07

2 Answers2

1

Is it safe? Well it will be if you secure that endpoint.

There are a number of ways to provide security, but here are two options I would suggest.

1) Session-based. Authenticate the user and then set a flag in PHP Session built in. Check that flag in your endpoints, and perform the appropriate error handling if the request is not authenticated.

2) Stateless. Use a secure cookie protocol implementation to sign and authenticate requests.
The protocol is here: http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf And there are various implementations. Here's one of many blog posts on the subject: http://raza.narfum.org/post/1/user-authentication-with-a-secure-cookie-protocol-in-php/

The former will get you rolling most quickly, and is probably what you should do. The latter is an optimization you can make when you are looking to scale since sessions create headaches on horizontal architectures.

In any case, take care with how you store any passwords (hash them, salt them), and using https will of course keep user information from being sent in the clear.

morefromalan
  • 302
  • 3
  • 9
0
if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    ... it's an AJAX request so do something ...
}
else {
    ... it's not an AJAX request so do something else ...
}

But the best way is session checking. As this can be spoofed and so can your GET/POST variables.

Tom Tom
  • 3,680
  • 5
  • 35
  • 40
  • This header is not an official header, many libs or tools won't set this header. I'd suggest not to use it because its not cross-platform/browser compatible. – Daniel W. Nov 18 '13 at 14:43
  • 2
    These headers can be easily spoofed though. This alone won't be enough to protect the script. – John Dorean Nov 18 '13 at 14:43
  • http://stackoverflow.com/questions/2579254/php-does-serverhttp-x-requested-with-exist-or-not – cen Nov 18 '13 at 14:44