0

With php I want to know whether an ajax request came from ajax.js or index.php. The file that is being requested is ajax.php. I have tried using $_SERVER[HTTP_REFERER] to figure this out but instead of http://www.example.com/ajax.js, I am receiving http://www.example.com/index.php.

So how can I figure out what file made the ajax call using php using data that the client CAN NOT CHANGE?

DMVerfurth
  • 172
  • 1
  • 13
  • Send it as data with the request. – Federico klez Culloca Apr 09 '18 at 15:40
  • Yes, I know this... My problem is that I don't know for sure whether an ajax call came from `ajax.js` or some other file. – DMVerfurth Apr 09 '18 at 15:40
  • 1
    Your AJAX request will have to manually self-identify because the web browser does not automatically report this for you. the web browser only lets you know which page the request came from, not from which asset, aka JS file. – MonkeyZeus Apr 09 '18 at 15:40
  • I am also using this as a type of security. If I sent this information with the request, a user could change the value with a web inspector such as firebug. – DMVerfurth Apr 09 '18 at 15:42
  • Possible duplicate of [How to check if the request is an AJAX request with PHP](https://stackoverflow.com/questions/18260537/how-to-check-if-the-request-is-an-ajax-request-with-php) – Peter Apr 09 '18 at 15:42
  • This not a duplicate because I don't need to know whether the call is ajax, I need to know where the ajax call came from. – DMVerfurth Apr 09 '18 at 15:45
  • As far as your server is concerned, `ajax.js` doesn't exist. If you're including it from `index.php`, then the request _is_ coming from `index.php`. Your server doesn't care that you happened to split some JS out into different files, it's all being loaded _and executed_ from the same place. – Patrick Q Apr 09 '18 at 15:47
  • @DMVerfurth security cannot come from the client, for the exact reason you stated. So even if there was a way to know whether the request came from the page or the javascript, it could be spoofed. – Federico klez Culloca Apr 09 '18 at 15:47
  • You are asking for client authentication then. There are many ways to do this. So many that this question is too broad for SO. – Peter Apr 09 '18 at 15:47
  • But there is no way of editing a js file with firebug then calling it... right? – DMVerfurth Apr 09 '18 at 15:48
  • @DMVerfurth, sure there is. You can monkey patch every piece of JS you'd like with the console. – Peter Apr 09 '18 at 15:50
  • an attacker will just need to change the data in transit, not the javascript itself. – Federico klez Culloca Apr 09 '18 at 15:50
  • If the attacker made the faked the data in index.php and sent it then my server would reject it because it didn't come from `ajax.js`, this way no one would be able to fake data since they cannot successfully send data from a js file using a web inspector, right? – DMVerfurth Apr 09 '18 at 15:53
  • how can you stop me from changing *any* of the data that goes out from my computer, including this imaginary "comes-from-file" header of sorts? That's the main problem. – Federico klez Culloca Apr 09 '18 at 15:54
  • Ok, I have edited the question to be a little more specific about what I need. I figure the edit will help because it specifies that I don't want anything that can be changed by the user. – DMVerfurth Apr 09 '18 at 15:57
  • @DMVerfurth Right now I can send your server a request from my server and on your end you will see that `HTTP_REFERER` is `https://www.google.com/ajax.js`. The HTTP protocol is built in such a way that the requestor identifies themselves anyway that they want and unless you implement some monumental checks on the server-side of things then your server is going to blindly accept whatever the requestor has supplied. This is why there is absolutely NO WAY for your server to determine where a request came from. You would have to implement one-time AJAX tokens or something. – MonkeyZeus Apr 09 '18 at 17:47
  • Ok I see, thanks. Ill look into some other way of making ajax secure then. – DMVerfurth Apr 09 '18 at 19:30

1 Answers1

0

You could add a custom header when executing your request using AJAX. Then check if your custom header is present in get_headers().

If your custom header is present, the request come from your js file. If not, it's a regular request.

You can check how to add a custom header here.

Alexandre P
  • 31
  • 3
  • Yes but a user could make their own call from a different file and still specify my custom header. – DMVerfurth Apr 09 '18 at 15:46
  • So you can use both headers and $_SERVER to check from where the request come from : `index.php with custom header`. If the user try to send it from another page, it will be like `other.php with custom header` EDIT : I just figured out your edit. You can't be sure of the data sent by any client, everything can be spoofed. A JS file is editable, you souldn't use it to secure something. – Alexandre P Apr 10 '18 at 09:31