Hi I am new to this one could you please teach me how to make sure or check that the AJAX or JQUERY post originated from my domain and from that particular session?
In other words on session_start create some global variable ID and than on post pass that variable to PHP where we will check whether is the same or not.
session_id() will give you the session ID.
PHP automatically saves session_id in cookie. If you call session_start() PHP try to find that specific cookie in your request and recall existent session if cookie found. If you need user authentication, user on your site must enter login/password or some another special data. Your script finds e.g. user id and saves in PHP session ($_SESSION).
Than by any request (so HXR) you can check whether or not user id exists in your session.
Thanks but is it enough to make sure the post has not been originated from some remote source?
session id can be viewed by anyone I am right?
Actually no. By default in your browser cookie of some domain visible for this domain’s sites only. Sure you can change this setting, but this will clear action against secure.
Thanks for bearing with me. Let me get this string! session id can not be viewed by let say hackers?
I have an autocomplete form and need to make sure the post is coming from the current session and not from some other domain or source.
I got it. I can add some extra secret code to cookie id and then check it with PHP.
Oh…
If you have some web resource, I strongly recommend you to found profy developer for it. I think, no one can provide absolute secure on your resource just remote.
Thanks buddy for your support. bye
That’s correct. You would need to always regenerate the session ID so that it’s different every time a user refreshes the page. You would also have to destroy the old session so that no one can access it. The PHPSESSID cookie is visible, but anything that uses $_SESSION is not. Just remember that.
Yes, that is CSRF.
As good as CSRF-tokens are for security, i see no relation to his original task of “hacker” prevention or client binding. I could publicate a webservice that does auto-logon in an account and read the token - effectively emulating a webbrowser as man-in-the-middle, that is always some remote source anyway.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.