How to I verify the origin of an AJAX request


So, I have a page on my site (index.php) which wants to make simple AJAX lookups. The AJAX requests are made in JSON to /ajax/search.php.

In /ajax/search.php, how can I make sure the request has come from index.php. There is no login required so I can’t check sessions. Also, I do not want to use cookies.



You can use $_SERVER[‘HTTP_REFERER’].
Although it can be quite easily spoofed as far as I know that’s you’re only option if you don’t want to use cookies and/or sessions.

Why do you need to make sure the request comes directly from “index.php”? That seems awfully silly making a public interface like that. In the end all the request on the web are the same, no connection to the previous request.

Sounds like you just want to over complicate this.

I’ve had a similar problem. Only I would like to it by domain so that only my framework can access the API. It doesn’t seem like this is possible. So the alternative is to decide which methods/operation requests need to be permission checked vs. those that do not. For example, I don’t really care if Joe Shmoo fetches a list of blogs but I do care if they attempt to delete a blog directly through my public API. You can even add a extra layer behind the request that logs any outside attempts to access API method the person doesn’t have permission to or excessive requests.

I’m not really sure how you have your system set-up but I myself have module and dao requests. A module request basically fetches a view w/o the master template. This is useful for opening JavaScript “lightboxes” with the requested content. In this case no permission checking is because the request is run as normal. The only difference is a blank master template.

However, the problem area lies with the DAO request. In that case someone can directly call a method on DAO w/ supplied args. So the only reasonable way I’ve found to restrict what methods can/can’t be requested is via an added permission layer. That way at least destructive methods are not able to be accessed directly through the public API.

In the end though it really is a catch-22 situation. Ideally I would like to able to use the same exact data access layer w/ regulation on the client side but for security reasons its just not practical.

So the open access to all data that doesn’t require someone to be logged-in is just something you need to get over. For example, By running the below request someone could get all my blogs information as json or xml via curl or a AJAX.


Kinda sucks but at least there is regulation on something like this: