Ajax request - access only from local domain

Question

Ajax request - access only from local domain

Roman O Jul '13

Created Jul '13	Last Reply Jul '13	Replies 3	Views 1385	Votes 3

Roman O 13.8k

Jul '13

How make this code in phalcon?

$domain = parse_url($_SERVER['HTTP_REFERER']);\n
$domain = $domain['host'];
if($domain != $_SERVER['SERVER_NAME'])
    die();

I want to Ajax requests were only available with the local domain...but code not work:

class AjaxController extends AjaxResponse
{
    public function initialize()
    {
        $request = new Phalcon\Http\Request();
        $host = $request->getHttpHost();
        // return string(10) "localhost3"

        $referer = $request->getHTTPReferer();
        // return string(0) ""

        die(var_dump($referer));
    }

    public function indexAction()
    {
        $this->view->disable();
        die("0");
    }

    public function authenticationAction() 
    {
        $this->setJsonResponse();
        return array("ajax" => false, "details" => "test" );
    }

    public function dAction() 
    {
        $this->setJsonResponse();
        return array("ajax" => false, "details" => "test" );
    }
}

Maybe there are other ways to improve the security of ajax requests?

3

Viktoras · Answer 1 · 2013-07-30T06:22:39-07:00

Three backticks + language for highlight. '''php // like this ''' (where ' means backtick)

// like this

Roman O · Answer 2 · 2013-07-30T09:50:32-07:00

Roman O
13.8k

Jul '13

Viktoras, thx! Maybe there are other ways to improve the security of ajax requests?

Viktoras · Answer 3 · 2013-07-30T12:59:24-07:00

Try

if ($request->getClientAddress() != "127.0.0.1") {
    die("Only local requests allowed");
}

Roman O · Answer 4 · 2013-07-30T23:03:24-07:00

Sorry for the incorrect...with this code users can not make requests, because they ClientAdress different. I want to ajax request to be available only to those users who have made it to the my site. (exp. domain.com), but i can not get user referrers

Viktoras · Answer 5 · 2013-07-30T23:46:08-07:00

Oh, I see now. Yeah, for this purpose you need to check HTTP_REFERER, however keep in mind, that this header is sent by browser/client. It can be disabled. So this is not a reliable method.

Also, you can do this in your .htaccess, @see https://altlab.com/htaccess_tutorial.html

Also you can google on "Disable hotlinking" for more examples.

Roman O · Answer 6 · 2013-07-31T00:54:26-07:00

Roman O
13.8k

Jul '13

BIG thx!!!