I have a jQuery script using .live() to load it's page content.
$('#content').load("content.php?" + id);
Question: How can I deny a user from accessing the file content.php directly via a URL?
I tried to put this code on top of content.php but Access Denied appear in my #content div
if (!empty($_SERVER['SCRIPT_FILENAME']) && 'content.php' == basename($_SERVER['SCRIPT_FILENAME']))
die('Access Denied');
What is the correct way to make sure users can't access my content.php file using a URL?
Source: Tips4all
You could use some sort of hashing. For example if content.php has the parameter id; you add an additional parameter hash which contains the MD5 hash of "'some random string' + id*15". In content.php you check if the hash & id match; if not access denied.
ReplyDeleteThe computation has to be done in PHP (not ajax) because the user must not know the hashing algprithmus.
With this method the user can look up the source code and access the page directly but you can't disallow that completly because the browser need to access the page to show it. But the user can't access pages he hasn't accessed through ajax before. You could use some headers (HTTP_X_REQUESTED_WITH) to prevent most internet users to access the page directly but experienced users will change the header and access it anyway.
If you want to protect the usage you can use a one time key algorithm. Have the server generate a key that the page will contain in a variable or attribute somewhere. Then on the load command you pass the key to content.php like this:
ReplyDeletekey = $("{some selector to get the key}")
$('#content').load("content.php?id=" + id + "key=" + key);
Once the page makes the call to server using the key the server will expire the key making it unusable. This way only active page requests will have access to your content.php file.
This method is still not bullet proof but would make it more difficult to access the content.php by the user.
Since you're calling a resource via ajax a possible solution is sending a particular header into the request like HTTP_X_REQUESTED_WITH and then detect the header server side like so:
ReplyDelete/* AJAX check */
if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) ||
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest') {
die($content);
}
I suggest reading this: Detecting Ajax Events on the Server.
ReplyDeleteIs there other content on the mainpage that you could reference from the content.php file to verify that you are loading it as part of the mainpage and not a stand alone page? You could also pass something via a session from the mainpage into the content.php page and then remove the item at the end of loading of the content.php.
ReplyDeleteIf the URL is accessible with AJAX request then it can be accessed directly and there is not much you can do about it. You can try to detect if a request is the AJAX request with:
ReplyDeletefunction isAjaxRequest() {
return array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
}
and check for it in the beginning of the script:
if (!isAjaxRequest())
die('Access Denied');
but you shouldn't rely on this check too much because it's rather easy to bypass.