5

I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php

I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.

What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?

plsgogame
  • 1,334
  • 15
  • 28
Petri
  • 125
  • 2
  • 7
  • The big question is how would you distinguish robots vs. humans. Writing a robot who'd first "visit" your web site and then use the retrieved session id/token/whatever to access your API is not very hard. – lexicore Dec 05 '14 at 17:19
  • Thanks everyone for quick replies! Even though there is no 100% protection agains everything, the PHP session probably is the best "soft" protection for this kind of case. – Petri Dec 05 '14 at 17:52

5 Answers5

1

If you just want the user to visit page.php before using api.php, the session is the way to go.

Alex Angelico
  • 3,710
  • 8
  • 31
  • 49
  • Yes this is what I want. This might be stupid question but how do I check on api.php that a session exists on the server? – Petri Dec 05 '14 at 17:21
  • By initializing the session with `session_start()` and read the session variable `$_SESSION`of the declared session. [See the manual: Sessions](http://php.net/manual/en/session.examples.basic.php) – Tim Wißmann Dec 05 '14 at 17:39
  • Just start the seesion in every php script (page.php and api.php in this scenario). Then set a variable in page.php and read it in api.php. Something like: @session_start(); $_SESSION['allow'] = 1; In page.php if (!empty($_SESSION['allow'])) ... – Alex Angelico Dec 05 '14 at 17:41
0

Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.

Beware that people can alter their REFERER so its not secure.

Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html

Jelle Keizer
  • 723
  • 5
  • 9
  • 1
    I don't think, that this is the best way, because it's to easy to modify the HTTP_REFERER from outside. – Tim Wißmann Dec 05 '14 at 17:12
  • There is no secure way without authentication – Jelle Keizer Dec 05 '14 at 17:14
  • @JelleKeizer Checking session is aready as you can't fake it the session id without actually "visiting" the website. A captcha-based solution would be already very good. "Referer" is just too trivial to fake. – lexicore Dec 05 '14 at 17:25
  • Of yourse, you can use reCaptcha if you want to make your visitors to free volunteers of Google's OCR software... – Tim Wißmann Dec 05 '14 at 17:32
0

Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.

Otherwise, there are lots of authentication plugins for php.

http://www.homeandlearn.co.uk/php/php14p1.html for example.

Peter Kellner
  • 14,748
  • 25
  • 102
  • 188
  • If you have a proper REST API using post for *everything* is not a good idea. – floriank Dec 05 '14 at 17:18
  • POST might make it a bit more difficult to use the api but its still pretty easy for someone to start using it. Users won't need to log in on my site so authentication plugins might not be the solution. – Petri Dec 05 '14 at 17:28
  • REST is not the answer for everything. – Peter Kellner Dec 05 '14 at 17:32
0

You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable

Reza Haghighi
  • 15
  • 3
0

Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.

Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).

I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.

Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.

Tim Wißmann
  • 647
  • 6
  • 18
  • By initializing the session with `session_start()` and read the session variable `$_SESSION`of the declared session. [See the manual: Sessions](http://php.net/manual/en/session.examples.basic.php) – Tim Wißmann Dec 05 '14 at 17:42