PHP sessions, AJAX, authentication and security.

------=_NextPart_000_000E_01CA6AF1.E3DAA460
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to log =
in to my PHP script and be authenticated before they are granted access.

For one of the forms I would like to retrieve information using AJAX, =
and some of that information is sensitive also. The request from AJAX is =
handled by another, simpler PHP script.

It occurs to me that the AJAX handler could be used to bypass the user =
authentication and a crafted request sent directly to the AJAX handler =
to get information without authentication.

Can anyone offer some advice about how to piggy-back the =
session/authentication data that the user originally used to the AJAX so =
that only an authenticated user will get a valid response from the AJAX =
handler? I know I could embed authentication information into the =
web-page and send this with the AJAX request but I'm interested to know =
if there are other methods also.

I hope the explanation is clear.

Thanks in advance.
------=_NextPart_000_000E_01CA6AF1.E3DAA460--

Re: PHP sessions, AJAX, authentication and security.

You could use a one time token on each request

Bastien

Sent from my iPod

On Nov 21, 2009, at 6:30 AM, "Angus Mann" wrote:

> Hi all.
>
> A question about PHP sessions and their interaction with AJAX.
>
> I have a database containing sensitive information and users need to
> log in to my PHP script and be authenticated before they are granted
> access.
>
> For one of the forms I would like to retrieve information using
> AJAX, and some of that information is sensitive also. The request
> from AJAX is handled by another, simpler PHP script.
>
> It occurs to me that the AJAX handler could be used to bypass the
> user authentication and a crafted request sent directly to the AJAX
> handler to get information without authentication.
>
> Can anyone offer some advice about how to piggy-back the session/
> authentication data that the user originally used to the AJAX so
> that only an authenticated user will get a valid response from the
> AJAX handler? I know I could embed authentication information into
> the web-page and send this with the AJAX request but I'm interested
> to know if there are other methods also.
>
> I hope the explanation is clear.
>
> Thanks in advance.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP sessions, AJAX, authentication and security.

At 9:30 PM +1000 11/21/09, Angus Mann wrote:
>Hi all.
>
>A question about PHP sessions and their interaction with AJAX.
>
>I have a database containing sensitive information and users need to
>log in to my PHP script and be authenticated before they are granted
>access.
>
>For one of the forms I would like to retrieve information using
>AJAX, and some of that information is sensitive also. The request
>from AJAX is handled by another, simpler PHP script.
>
>It occurs to me that the AJAX handler could be used to bypass the
>user authentication and a crafted request sent directly to the AJAX
>handler to get information without authentication.
>
>Can anyone offer some advice about how to piggy-back the
>session/authentication data that the user originally used to the
>AJAX so that only an authenticated user will get a valid response
>from the AJAX handler? I know I could embed authentication
>information into the web-page and send this with the AJAX request
>but I'm interested to know if there are other methods also.
>
>I hope the explanation is clear.
>
>Thanks in advance.

Angus:

First, don't trust anything that comes from the client -- period.

Second, Ajax is just another way to send stuff to the server. When
the data gets to the server then authenticate and set a session
variable to indicate such. This is not rocket science, but if you
don't do it right you'll leave a crater.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP sessions, AJAX, authentication and security.

Angus Mann wrote:
> Hi all.
>
> A question about PHP sessions and their interaction with AJAX.
>
> I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access.
>
> For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script.
>
> It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication.
>
> Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also.
>
> I hope the explanation is clear.
>
> Thanks in advance.

same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: PHP sessions, AJAX, authentication and security.

> same as everywhere else in your apps.. ajax is no different in any way
> at all, not even slightly. as far as PHP and web server is concerned
> it's just a plain old request same as any other; thus..
>
> if( !$_SESSION['is_logged_in'] ) {
> exit();
> }
> // do stuff
>


Thanks for that. Sometimes the solution is right there in front of you.
The bit of code below does the job nicely for me :

session_start();
if(!isset($_SESSION['username'])){
echo("Go Away.");
exit();
}
// now work with sensitive data...


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php