0

I've been searching Google and here, and haven't found anything that'd work for me. I'm trying to restrict access to my scripts so that they will only be accessible via the main page. On the initial page load, everything loads fine. But, if I click on a link, the define() variable I have in my main page is no longer defined to other things, so it causes a failure. Perhaps code will be more helpful.

index.php:

<?php
session_start();
define('CRC32', microtime());
@require_once('funcs.php');
?>
[...]
<div id="header">
	<div style="width: 20%; float: left;"><img src="img/logo.gif" alt="S4U Logo" /></div>
	<div id="login_form" style="width: 80%; float: right; text-align: center;"><?php require('forgotpw.php'); ?></div>
[...]

funcs.php:

<?php

function CheckAllowed(){
        if(!constant('CRC32')){
                echo("<script>alert('fail');</script>");
                //header("HTTP/1.1 404 Not Found");
        }
}
?>

forgotpw.php:

<?php
@require_once("funcs.php");

CheckAllowed();

if(!isset($_SESSION['key'])){
        echo("HI2!");
} else{
        echo("HI!");
        //echo("<script>alert('You are currently logged in.');</script>");
}
?>

I just edited this to show you, but "Forgot Password?" (forgotpw.php) is actually a link.

Basically CheckAllowed() works fine when you first go to the website, but when you click on the "Forgot Password?" link, it calls forgotpw.php and CheckAllowed() fails because CRC32 is no longer defined (I've tested this with the if() statements, forgotpw.php will load right now, but will show the "fail" dialog box as CRC32 isn't defined anymore). I've also tried not doing it via a function and putting the code right in there, but I still have the same issue.

Does anyone have any idea on how to get this to work with Ajax? I've heard of using $_SERVER as a workaround, but I haven't found anything that illustrates what to do w/ the server variables.

Edited by raevin: n/a

4
Contributors
14
Replies
15
Views
6 Years
Discussion Span
Last Post by raevin
0

I would do something like this:

<?php
//header script, include in all scripts accept your ajax php script
session_start();
$_SESSION['pageAuth'] = microtime();
if(__FILE__ == "/var/www/websitename/index.php")
{
    $fp = fopen('/var/webSec/websitename.txt', 'w'); //needs to be writable by apache, make apache the owner or writable and readable by all
    fwrite($fp, $_SESSION['pageAuth']);
    fclose($fp);    
}
?>

<?php
//ajax php script
session_start();
if(!isset($_SESSION['pageAuth']) || file_get_contents("/var/webSec/websitename.txt") != $_SESSION['pageAuth'])
{
    exit("Go Pound Sand :P");
}

//continue ajax script here
?>

Edited by R0bb0b: n/a

0

Thank you, but the problem with that is once you go to index.php it'll give you a session token and then you can go to the page directly just fine (which defeats what I'm wanting to do). The safest thing I've seen so far with Ajax calls is the following:

if(empty($_SERVER['HTTP_X_REQUESTED_WITH'])){
                header("Status: 404 Not Found", true, 404);
        }
0

Thank you, but the problem with that is once you go to index.php it'll give you a session token and then you can go to the page directly just fine (which defeats what I'm wanting to do). The safest thing I've seen so far with Ajax calls is the following:

if(empty($_SERVER['HTTP_X_REQUESTED_WITH'])){
                header("Status: 404 Not Found", true, 404);
        }

What is that? I don't see that in the manual.

0

What is that? I don't see that in the manual.

$_SERVER isn't an official SERVER response in PHP, but prototype.js and jQuery send this additional header when it makes a request call (GET/POST) via Ajax.

0

It's not perfect but what about using $_SERVER?

I thought about that, but I never really liked that as a viable solution (for anything, really).

0

right, it depends on the header, which can be manipulated. Given that, I wouldn't be surprised if HTTP_X_REQUESTED_WITH also comes from the header.

0

If you are just trying to restrict access to the those pages, just move them outside of public domain and use the main page that you are talking about to include them.

Seems simple enough to me, but I may be missing the point.

Edited by somedude3488: n/a

0

right, it depends on the header, which can be manipulated. Given that, I wouldn't be surprised if HTTP_X_REQUESTED_WITH also comes from the header.

It is, I just checked w/ both Tamper Data and LiveHTTPHeaders in Firefox, and it shows this;
X-Requested-With: XMLHttpRequest

It's still not a safe-sound solution, but it's the best to do...only better would to be sure it has that text exactly.

0

If you are just trying to restrict access to the those pages, just move them outside of public domain and use the main page that you are talking about to include them.

Seems simple enough to me, but I may be missing the point.

That's not possible via using Ajax calls because JavaScript can't access the filesystem itself, as far as I know anyways.

0

I guess I am confused as to what the op is trying to do.

Are you trying to load pages with ajax?

From the code you have I don't see anything that really has to do with ajax.

Edited by somedude3488: n/a

0

That's not possible via using Ajax calls because JavaScript can't access the filesystem itself, as far as I know anyways.

That's fine but any version of including the script is still stuck within the realm of the http protocol.

Any authentication is going to have to be server side if you are really worried about security. You cannot rely on anything coming from the header. And you cannot just have the script authenticate itself because again, that can be manipulated.

0

@kkeith: The Ajax calls are in a seperate file that holds no bearing to this question/issue.

@R0bb0b: That's right. But, since define/d() doesn't work with Ajax, I have nothing to work with besides the headers...:/

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.