How do I prevent my users from accessing directly pages meant for ajax calls only?
如何防止用户直接访问仅用于ajax调用的页面?
Passing a key during ajax call seems like a solution, whereas access without the key will not be processed. But it is also easy to fabricate the key, no? Curse of View Source...
在ajax调用期间传递密钥似乎是一种解决方案,而没有密钥的访问将不会被处理。但制造钥匙也很容易,不是吗?查看源代码的诅咒……
p/s: Using Apache as webserver.
p/s:使用Apache作为webserver。
EDIT: To answer why, I have jQuery ui-tabs in my index.php, and inside those tabs are forms with scripts, which won't work if they're accessed directly. Why a user would want to do that, I don't know, I just figure I'd be more user friendly by preventing direct access to forms without validation scripts.
编辑:为了回答为什么,我在索引中有jQuery ui选项卡。php以及这些选项卡中的表单都是带有脚本的,如果直接访问这些脚本,就无法工作。我不知道用户为什么要这样做,我只是认为,如果不使用验证脚本阻止对表单的直接访问,我将对用户更友好。
10 个解决方案
#1
21
As others have said, Ajax request can be emulated be creating the proper headers. If you want to have a basic check to see if the request is an Ajax request you can use:
正如其他人所说,Ajax请求可以被模拟为创建适当的头。如果您想要进行基本检查,以查看请求是否为Ajax请求,您可以使用:
if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
//Request identified as ajax request
}
However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.
然而,你不应该把你的安全建立在这张支票上。如果您需要的话,它将消除对页面的直接访问。
#2
34
There is no way of guaranteeing that they're accessing it through AJAX. Both direct access and AJAX access come from the client, so it can easily be faked.
无法保证他们通过AJAX访问它。直接访问和AJAX访问都来自客户机,因此很容易伪造。
Why do you want to do this anyways?
你为什么要这么做?
If it's because the PHP code isn't very secure, make the PHP code more secure. (For example, if your AJAX passes the user id to the PHP file, write code in the PHP file to make sure that is the correct user id.)
如果是因为PHP代码不太安全,那么让PHP代码更安全。(例如,如果您的AJAX将用户id传递给PHP文件,请在PHP文件中编写代码,以确保用户id是正确的。)
#3
8
It sounds like you might be going about things the wrong way. An AJAX call is just like a standard page request, only by convention the response is not intended for display to the user.
听起来你可能走错路了。AJAX调用就像一个标准的页面请求,只是按照惯例,响应不打算显示给用户。
It is, however, still a client request, and so you must be happy for the client to be able to see the response. Obfuscating access using a "key" in this way only serves to complicate things.
但是,它仍然是一个客户机请求,因此您必须为客户机能够看到响应而感到高兴。用这种方式混淆访问权限只会使事情变得更复杂。
I'd actually say the "curse" of view source is a small weapon in the fight against security through obscurity.
我想说的是“魔咒”的视角来源是一个小武器,在通过暗地里对抗安全。
So what's your reason for wanting to do this?
那么你为什么要这么做呢?
#4
4
If the browser will call your page, either by normal request or ajax, then someone can call it manually. There really isn't a well defined difference between normal and ajax requests as far as the server-client communication goes.
如果浏览器将通过常规请求或ajax调用您的页面,那么有人可以手动调用它。就服务器-客户机通信而言,普通请求和ajax请求之间并没有明确的区别。
Common case is to pass a header to the server that says "this request was done by ajax". If you're using Prototype, it automatically sets the http header "X-Requested-With" to "XMLHttpRequest" and also some other headers including the prototype version. (See more at http://www.prototypejs.org/api/ajax/options at "requestHeaders" )
常见的情况是将一个头传递给服务器,该服务器表示“这个请求是由ajax完成的”。如果使用Prototype,它会自动将http报头“X-Requested-With”设置为“XMLHttpRequest”,以及其他一些报头(包括Prototype版本)。(参见http://www.prototypejs.org/api/ajax/options的“requestheader”)
Add: In case you're using another AJAX library you can probably add your own header. This is useful for knowing what type of request it was on the server side, and for avoiding simple cases when an ajax page would be requested in the browser. It does not protect your request from everyone because you can't.
添加:如果您正在使用另一个AJAX库,您可以添加自己的标题。这对于了解服务器端请求的类型以及避免在浏览器中请求ajax页面的简单情况非常有用。它并不能保护你的请求不被任何人发现,因为你不能。
#5
1
COOKIES are not secure... try the $_SESSION. That's pretty much one of the few things that you can actually rely on cross-page that can't be spoofed. Because, of course, it essentially never leaves your control.
饼干是不安全…$ _SESSION试。这几乎是你可以依赖的少数几件事之一,你可以依赖的跨页不能被欺骗。因为,当然,它本质上永远不会离开你的控制。
#6
1
thanks, albeit I use
谢谢,尽管我使用
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(IS_AJAX) {
//Request identified as ajax request
}
cheers!
干杯!
#7
0
Not sure about this, but possibly check for a referrer header? i think if someone manually typed in your url, it wouldn't have a referrer header, while AJAX calls do (at least in the quickly test I just did on my system).
对此我不太确定,但可以检查一下推荐人的头吗?我认为如果有人手动输入你的url,它不会有一个引用头,而AJAX调用可以(至少在我刚在系统上做的快速测试中)。
It's a bad way of checking though. Referrer can be blank for a lot of reasons. Are you trying to stop people from using your web service as a public service or something?
这是一种糟糕的检查方式。由于许多原因,推荐人可能是空白的。你想阻止人们使用你的web服务作为公共服务吗?
After reading your edit comments, if the forms will be loaded via ajax calls, than you could check window.location to see if the url is your ajax form's url. if it is, go to the right page via document.location
在阅读编辑注释之后,如果表单将通过ajax调用加载,那么可以查看窗口。查找url是否为ajax表单的url。如果是,通过document.location转到正确的页面
#8
0
This definitely isn't useful for securing something.. but I think this could be of use if you wanted to have say a php page that generated a whole page if the page was not requested by ajax but only generate the part that you needed returned when ajax was used.. This would allow you to make your site non ajax friendly so if say they click on a link and it's supposed to load a box of comments but they don't have ajax it still sends them to the page that is then generated as a whole page displaying the comments.
这绝对对保护某物没有帮助。但是我认为,如果你想要一个php页面,如果这个页面不是ajax请求的,而是在使用ajax时只生成需要返回的部分,那么这个页面可能会有用。这将让你让你的网站非ajax友好如果说他们点击一个链接,它应该加载一个盒子的评论但是他们没有ajax仍然将它们发送给整个页面,然后生成页面显示评论。
#9
0
Pass your direct requests through index.php and your ajax requests through ajax.php and then dont let the user browse to any other source file directly - make sure that index.php and ajax.php have the appropriate logic to include the code they need.
通过索引传递直接请求。php和ajax请求。然后不要让用户直接浏览任何其他源文件——确保索引。php和ajax。php具有包含所需代码的适当逻辑。
#10
0
In the javascript file that calls the script:
在调用脚本的javascript文件中:
var url = "http://website.com/ajax.php?say=hello+world";
xmlHttp.open("GET", url, true);
xmlHttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
then in the php file ajax.php:
然后在php文件ajax.php中:
if($_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest") {
header("Location: http://website.com");
die();
}
Geeks can still call the ajax.php script by forging the header but the rest of my script requires sessions so execution ends when no valid session is detected. I needed this to work in order to redirect people with expired hybridauth sessions to the main site in order to login again because they ended up being redirected to the ajax script.
极客们仍然可以称之为ajax。php脚本通过锻造头,但是我的脚本的其余部分需要会话,所以当没有检测到有效会话时,执行就结束了。我需要这样做,以便将使用过期杂交会话的人重定向到主站点,以便再次登录,因为他们最终被重定向到ajax脚本。
#1
21
As others have said, Ajax request can be emulated be creating the proper headers. If you want to have a basic check to see if the request is an Ajax request you can use:
正如其他人所说,Ajax请求可以被模拟为创建适当的头。如果您想要进行基本检查,以查看请求是否为Ajax请求,您可以使用:
if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
//Request identified as ajax request
}
However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.
然而,你不应该把你的安全建立在这张支票上。如果您需要的话,它将消除对页面的直接访问。
#2
34
There is no way of guaranteeing that they're accessing it through AJAX. Both direct access and AJAX access come from the client, so it can easily be faked.
无法保证他们通过AJAX访问它。直接访问和AJAX访问都来自客户机,因此很容易伪造。
Why do you want to do this anyways?
你为什么要这么做?
If it's because the PHP code isn't very secure, make the PHP code more secure. (For example, if your AJAX passes the user id to the PHP file, write code in the PHP file to make sure that is the correct user id.)
如果是因为PHP代码不太安全,那么让PHP代码更安全。(例如,如果您的AJAX将用户id传递给PHP文件,请在PHP文件中编写代码,以确保用户id是正确的。)
#3
8
It sounds like you might be going about things the wrong way. An AJAX call is just like a standard page request, only by convention the response is not intended for display to the user.
听起来你可能走错路了。AJAX调用就像一个标准的页面请求,只是按照惯例,响应不打算显示给用户。
It is, however, still a client request, and so you must be happy for the client to be able to see the response. Obfuscating access using a "key" in this way only serves to complicate things.
但是,它仍然是一个客户机请求,因此您必须为客户机能够看到响应而感到高兴。用这种方式混淆访问权限只会使事情变得更复杂。
I'd actually say the "curse" of view source is a small weapon in the fight against security through obscurity.
我想说的是“魔咒”的视角来源是一个小武器,在通过暗地里对抗安全。
So what's your reason for wanting to do this?
那么你为什么要这么做呢?
#4
4
If the browser will call your page, either by normal request or ajax, then someone can call it manually. There really isn't a well defined difference between normal and ajax requests as far as the server-client communication goes.
如果浏览器将通过常规请求或ajax调用您的页面,那么有人可以手动调用它。就服务器-客户机通信而言,普通请求和ajax请求之间并没有明确的区别。
Common case is to pass a header to the server that says "this request was done by ajax". If you're using Prototype, it automatically sets the http header "X-Requested-With" to "XMLHttpRequest" and also some other headers including the prototype version. (See more at http://www.prototypejs.org/api/ajax/options at "requestHeaders" )
常见的情况是将一个头传递给服务器,该服务器表示“这个请求是由ajax完成的”。如果使用Prototype,它会自动将http报头“X-Requested-With”设置为“XMLHttpRequest”,以及其他一些报头(包括Prototype版本)。(参见http://www.prototypejs.org/api/ajax/options的“requestheader”)
Add: In case you're using another AJAX library you can probably add your own header. This is useful for knowing what type of request it was on the server side, and for avoiding simple cases when an ajax page would be requested in the browser. It does not protect your request from everyone because you can't.
添加:如果您正在使用另一个AJAX库,您可以添加自己的标题。这对于了解服务器端请求的类型以及避免在浏览器中请求ajax页面的简单情况非常有用。它并不能保护你的请求不被任何人发现,因为你不能。
#5
1
COOKIES are not secure... try the $_SESSION. That's pretty much one of the few things that you can actually rely on cross-page that can't be spoofed. Because, of course, it essentially never leaves your control.
饼干是不安全…$ _SESSION试。这几乎是你可以依赖的少数几件事之一,你可以依赖的跨页不能被欺骗。因为,当然,它本质上永远不会离开你的控制。
#6
1
thanks, albeit I use
谢谢,尽管我使用
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(IS_AJAX) {
//Request identified as ajax request
}
cheers!
干杯!
#7
0
Not sure about this, but possibly check for a referrer header? i think if someone manually typed in your url, it wouldn't have a referrer header, while AJAX calls do (at least in the quickly test I just did on my system).
对此我不太确定,但可以检查一下推荐人的头吗?我认为如果有人手动输入你的url,它不会有一个引用头,而AJAX调用可以(至少在我刚在系统上做的快速测试中)。
It's a bad way of checking though. Referrer can be blank for a lot of reasons. Are you trying to stop people from using your web service as a public service or something?
这是一种糟糕的检查方式。由于许多原因,推荐人可能是空白的。你想阻止人们使用你的web服务作为公共服务吗?
After reading your edit comments, if the forms will be loaded via ajax calls, than you could check window.location to see if the url is your ajax form's url. if it is, go to the right page via document.location
在阅读编辑注释之后,如果表单将通过ajax调用加载,那么可以查看窗口。查找url是否为ajax表单的url。如果是,通过document.location转到正确的页面
#8
0
This definitely isn't useful for securing something.. but I think this could be of use if you wanted to have say a php page that generated a whole page if the page was not requested by ajax but only generate the part that you needed returned when ajax was used.. This would allow you to make your site non ajax friendly so if say they click on a link and it's supposed to load a box of comments but they don't have ajax it still sends them to the page that is then generated as a whole page displaying the comments.
这绝对对保护某物没有帮助。但是我认为,如果你想要一个php页面,如果这个页面不是ajax请求的,而是在使用ajax时只生成需要返回的部分,那么这个页面可能会有用。这将让你让你的网站非ajax友好如果说他们点击一个链接,它应该加载一个盒子的评论但是他们没有ajax仍然将它们发送给整个页面,然后生成页面显示评论。
#9
0
Pass your direct requests through index.php and your ajax requests through ajax.php and then dont let the user browse to any other source file directly - make sure that index.php and ajax.php have the appropriate logic to include the code they need.
通过索引传递直接请求。php和ajax请求。然后不要让用户直接浏览任何其他源文件——确保索引。php和ajax。php具有包含所需代码的适当逻辑。
#10
0
In the javascript file that calls the script:
在调用脚本的javascript文件中:
var url = "http://website.com/ajax.php?say=hello+world";
xmlHttp.open("GET", url, true);
xmlHttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
then in the php file ajax.php:
然后在php文件ajax.php中:
if($_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest") {
header("Location: http://website.com");
die();
}
Geeks can still call the ajax.php script by forging the header but the rest of my script requires sessions so execution ends when no valid session is detected. I needed this to work in order to redirect people with expired hybridauth sessions to the main site in order to login again because they ended up being redirected to the ajax script.
极客们仍然可以称之为ajax。php脚本通过锻造头,但是我的脚本的其余部分需要会话,所以当没有检测到有效会话时,执行就结束了。我需要这样做,以便将使用过期杂交会话的人重定向到主站点,以便再次登录,因为他们最终被重定向到ajax脚本。