www.webdeveloper.com
Results 1 to 11 of 11

Thread: How to know if Ajax Request?

  1. #1
    Join Date
    Sep 2006
    Posts
    655

    Question How to know if Ajax Request?

    Hi

    Is there anyway in PHP to know whether a request has been made via Ajax or is it a normal request?


    Thanks

  2. #2
    Join Date
    Apr 2010
    Posts
    213
    You could set the user-agent to something ('myAjaxRequestAgent' or some such) when you make the xmlhttprequest in your javascript and then check for it in the php.

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    I don't think there will ever be a 100% sure way, as in the end it is just another HTTP request as far as the server knows, so anything you look for in the HTTP headers or the URL can be simulated by other means.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Sep 2006
    Posts
    655

    Thumbs up

    HI

    I got this link from some reference, thought I should share with you all.

    http://www.electrictoolbox.com/how-t...x-request-php/




    Thanks

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    Quote Originally Posted by cancer10 View Post
    HI

    I got this link from some reference, thought I should share with you all.

    http://www.electrictoolbox.com/how-t...x-request-php/

    Thanks
    It's a useful tip, and will help with normal usage, but will do nothing to stop a determined hacker/cracker from simulating it. But then, you didn't say why you were asking.

    If, for instance, you just want to know so that the script can decide whether to, say, output a full HTML page (not an AJAX request) or return a JSON object (it is an AJAX request), then it makes perfect sense to do something like that. If, on the other hand, this is more a security/access-contorl issue, then it will not be 100% secure by any means.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  6. #6
    Join Date
    Sep 2006
    Posts
    655
    I was concerned about the security which is why was looking for a prevention.

  7. #7
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    For security, I would depend on whatever access control mechanism you use for "regular" pages. E.g. if you check for a $_SESSION element to see if the user is logged in, you can do the same exact thing in the PHP ajax request handler: the browser will send the session ID cookie with the AJAX HTTP request just as it will with a regular page request.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  8. #8
    Join Date
    Sep 2006
    Posts
    655
    Question: is it possible for a hacker to change the session values?

  9. #9
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    Nope. (Well, unless he actually gains access to your server and can change the session file contents (or database contents). Hackers will, however, try to steal the session ID cookie from a valid user, via a number of techniques (from high-tech network sniffers to low tech waiting until the user is away from his desk). But none of these issues are specific to AJAX requests, and are things you need to deal with for any PHP application. Check out www.shiflett.org for lots of info and his very useful PHP Security book.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  10. #10
    Join Date
    Sep 2006
    Posts
    655
    How can they harm my application even if they steal the session id of a valid user? because I am validating a user by the session variable

    for example:

    Code:
    <?php 
    if ((isset($_SESSION['user_name'])) && (!empty($_SESSION['user_name']))){
    
    //user is valid
    
    }
    ?>

  11. #11
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    Because the way PHP knows which session data to read (if it exists) is based on the PHPSESSID cookie it exchanges back and forth with the browser on each page request. So if I log onto your site and your session_start() creates a PHPSESSID cookie for me with the random value of 'ab12cd341234fe', then you steal my cookie one way or another, then you could connect using that same cookie and access the site using my session data. This is one reason to use SSL/https with a critical site, so that the cookies (and other headers) cannot easily be "sniffed".
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles