-1

I'm working on a simple contact form right now that will just post to a /contact endpoint and update a message via ajax if success or failure. I plan on having other forms such as account settings work in this sort of way too so I can avoid having to refresh the page. I'm new to working with ajax and creating my own api's so any help would be awesome.

Basically what I want to do right now is verify that the post request/body is being sent from my website and not an external source. I thought about just checking the url with PHP but I'm not sure if this can be spoofed. Any help would be great, thanks!

Joe Scotto
  • 10,936
  • 14
  • 66
  • 136
  • You need to use a token for this purpose. Something like `nonce` in `wordpress`. – Xaqron Mar 28 '17 at 00:42
  • Now how would that work though? I've seen in places of setting a token on a hidden input then sending it along with your request but couldn't a user just come in, take that token, and then make the request them selves? – Joe Scotto Mar 28 '17 at 00:44
  • Use a token in form which you have set in `session` object. So later you can check if data comes from the your form by validating token field against session value. Check this: http://stackoverflow.com/questions/4145531/how-to-create-and-use-nonces – Xaqron Mar 28 '17 at 00:46

2 Answers2

1

One method is to create a unique ID/GUID when the form is created, embed it in the form (hidden field, JS var), and also store it to $_SESSION. When your script is called via AJAX, pass this value in the AJAX call, and then compare it on the server side. That way, you not only know it came from your page, but from the same session.

Sloan Thrasher
  • 4,953
  • 3
  • 22
  • 40
  • I'm assuming that these get reset with every request? – Joe Scotto Mar 28 '17 at 00:45
  • It's up to you. You could check to see if it's already stored in the $_SESSION, and use it again, or generate one if missing. IF(!isset($_SESSION['_default']['GUID'])) { // generate guid } else { $guid = $_SESSION['_default']['GUID'] }. Values stored in the $_SESSION last until the session ends or they are over-written. – Sloan Thrasher Mar 28 '17 at 00:51
  • That's making sense to me. Now from a security standpoint would this be a really secure way to do this or are there better ways that I should look into? For a contact form, that should be more than enough security but when I start messing around with user information like account settings, that might not be enough. – Joe Scotto Mar 28 '17 at 00:53
  • Combined with other measures (SSL, User Signins, etc.) this should be fairly secure. Since you generate a new GUID when the form is first created, it will expire when the user leaves the site (or shortly thereafter), so that if someone else sees it, they have very limited time to use it. If you want to reduce that time further, re-generate it and send it back in the AJAX return, and every time the form is loaded. – Sloan Thrasher Mar 28 '17 at 00:57
  • Thanks for your help! This topic has been confusing me for quite some time and you explained it in a very simple way. Thanks again! – Joe Scotto Mar 28 '17 at 00:58
  • One more thing, should I use seperate tokens for each form or could I use the same one for all of them? Would it be more secure one way or another? – Joe Scotto Mar 28 '17 at 01:07
  • If the different forms use the same code on the backend via AJAX, then use the same GUID. Otherwise, create a different one and store them in their own $_SESSION['form_name'] variable. – Sloan Thrasher Mar 28 '17 at 05:56
0

To check this things security i would pass a hash generated on the client (with certain rules) and check if the hash is valid on the server php endpoint. You can use $_SERVER["HTTP_REFERER"] to check if the domain matches but that can be easily spoofed and sometimes it may actually not even be available. I hope i answered the question. This is what i understood you were asking.

Pedro Monteiro
  • 11
  • 2