Post request come from which page

Question

I have a simple post request that comes from one specific page of my site:

reqdata = 'text=' + mytext;
$.ajax({
  type: "POST",
  url: "/request.php",
  data: reqdata,
  cache: false,
  success: function(html) {
    alert(html)
  }
});

It goes to another page of the same site .. So the first page calls page mydomain.com/test.php calls http request to mydomain.com/request.php

How do I recognise on page mydomain.com/request.php that the original page the request come from was mydomain.com/test.php?

I wish to ensure that the request can be done only from this exact page mydomain.com/test.php and not from other domains nor page.

I do the request using ajax and javascript and therefore I think that I cannot add a hidden authentication that would ensure the whole thing is secure. Because each value is seen on the original page source code.

the [php superglobal](http://php.net/manual/en/reserved.variables.server.php) `$_SERVER['HTTP_REFERER']` might be helpful — Jeff Puckett, Apr 23 '16 at 15:05
@JeffPuckettII `$_SERVER['HTTP_REFERER']` isn't recommended/is not reliable and here's why http://stackoverflow.com/a/6023980/ - Edit: Whoever is upvoting that comment, hasn't read this. — Funk Forty Niner, Apr 23 '16 at 15:07
thanks **@Fred -ii -** for the reference, I had wondered about that before, good read — Jeff Puckett, Apr 23 '16 at 15:09
You can add another parameter in the ajax request and check the value of that parameter inside the php file — Anoop saju, Apr 23 '16 at 15:14
@paul - so how do I make it secure ... so I can only do the request from this domain? HTTP_REFERER is not safe right? It can be faked? — Brana, Apr 23 '16 at 15:15
Generate one time session keys on correct page load (server side) — Paul S., Apr 23 '16 at 15:16
@Anoop saju I did this I added it in the ajax but it is visible on the page request come from. This is like pasword. But everyone who can see the source page can see the ajax form ... — Brana, Apr 23 '16 at 15:17

score 1 · Answer 1 · answered Sep 13 '17 at 12:55

It seems you are searching for a way to protect yourself against Cross Site Request Forgery (XSRF).

The common way to protect against XSRF is to render some time limited key on your page (just some <script> var mySecret = <?php (someSecret) ?>) and keep track of these. You could use the first characters of the session id for example and check if the request data contains this field. You can just add this to your data with something like ...&secret=mySecret When there is a session id with the first characters of this data attribute, you accept the request, otherwise you reject it on your server (possibly with error code 403).

So this question would be

best practices to avoid XSRF on my site

and should be asked on the information security stack exchange.

Thanks I have done something like this. I write the key and then recheck it. — Brana, Sep 14 '17 at 13:47

Post request come from which page

1 Answers1