+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Protect public controller function which I need to call with AJAX (within a view) (/showthread.php?tid=60487)
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]greatrat00[/eluser]
Hi,
What's the standard method for having a public controller function which is called by AJAX in one of my views, but needs to be protected so that it isn't called from a malicious user?
In other words, how can I have some public controller methods which can only be called from MY web server using AJAX?
One idea is to use custom token validation. However, token generation will be done on-demand and will also be done in a public controller function and through AJAX, so the user can generate the token and then send that with the request...
What is the standard approach with CodeIgniter to do this?
Thanks
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]InsiteFX[/eluser]
Code:
$test = $this->input->is_ajax_request();
// is a request from ajax
if ($test)
{
// your ajax code here
}
else
{
// your normal code here
}Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]greatrat00[/eluser]
Hi,
The problem with only checking if it's an ajax request is that any perpetrator can do an ajax request acting upon the behalf of the server right?
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]InsiteFX[/eluser]
You could also do a check to make sure that it is an admin logged in before executing the code.
What I use is a controller restriction method from my auth system that restricts the controller to an admin only, no one else can access that controller but an admin/
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]greatrat00[/eluser]
Hi,
The function is not to be runned by an admin. The function is to be called based on user interactions with the site.
So the users will be the ones logged in to the site when these functions are called.
Isn't the typical solution a token authentication system? However, the tokens can also be generated by malicious users, thus tricking the system, since the tokens will also be generated by AJAX calls, in real time. Thus, my worries.
I'm surprised CI doesn't provide an out-of-the-box solution, since I imagine it's very common for developers to need to call public functions from AJAX calls in views, allowing those calls only from the SERVER and not a user's PC or server.
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]InsiteFX[/eluser]
PHP is a server side language, Ajax is a client side language so think about it.
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]greatrat00[/eluser]
I think it's clear that you haven't understood my question.
Anybody else?
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]InsiteFX[/eluser]
I understand your question perfectly, It's up to you to secure your own application.
CI and jQuery etc; Can onlly secure it so much the rest is up to you to code.
Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]ivantcholakov[/eluser]
@greatrat00
I googled a little and as a result I started to doubt that there is a universal solution for protecting AJAX calls. I found this article https://www.webniraj.com/2014/01/12/codeigniter-using-csrf-tokens-to-secure-your-application/ which gives some direction, the thing I don't like about it is the global enabling of CSRF.
You have mentioned that logged users are to make some AJAX calls. This case is easy. Let us suppose that you store somehow in the session that a user has been logged. You can put within your base controller the following method:
Code:
public function _check_ajax_access()
{
if (!$this->input->is_ajax_request())
{
show_404(); // Output "Page not found" error.
}
$user_logged = (int) $this->session->get('current_user_id') > 0; // Or something similar, this check may be within a model or a library.
if (!$user_logged)
{
exit; // Output nothing.
}
// Return and let the child controller do its job.
}Protect public controller function which I need to call with AJAX (within a view) - El Forum - 04-07-2014
[eluser]greatrat00[/eluser]
Hi,
Thanks for ure answer.
It's actually not that simple, because a malicious user could log in just to get that session variable created, and then do a bunch of unauthorized ajax calls using the same browser. That case would go through your code.