howto restrict reaching functions from url

#1
[eluser]emrah[/eluser]
Hi all.

My problem is based on the security.

I'm coding my site with the help of jquery.
There is no usage of href elements in the pages.
I'm requesting new pages with the help of jquery. Also forms are posting with ajax.

If someone looks into my js code (with firebug or chrome developer tools )he can clearly see the url addresses where I'm sending my data.

So If he copies and pastes that url into browser he can easily reaches that page.

Let's think about I have a url like this:
http://localhos/project/controllerpage/function/functionparameter

If I call this url within javascript everything is fine and no problem.

If someone types this url into browser he can still access my page. So this is the problem.
I don't want that any person reaches my controller and also functions in it directly.

So what can I do to restrict directly access to my pages.

I tried to change my functions with private ones. So I add a "_" at the beginning of my all functions.
But this was created a new problem. I cannot reach my functions within the javascript.

Thanks...

#2
[eluser]pickupman[/eluser]
You can add this in your config.php file or in your controller construct you want to protect
Code:
//Global define for AJAX Requests
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');

Then in the pages you want to protect just use:
Code:
function jquery_page(){
  if(IS_AJAX)
  {
     //Do your stuff here.
  }
}

Also keep in mind the idea that some people, albeit a small percentage, have javascript turned off. So your pages should work just the same without the cool jQuery/ajax goodness. If users can access the data via jQuery, then there really should be much difference if they interact with it directly. Another possibility, is once you have completed all of your code, use a js packer the obfuscate the code. Small level of help to deter some eyeballs.

#3
[eluser]emrah[/eluser]
This worked like a charm. I'm really grateful.

Thanks for your advice also.
This will be a local site in a university and users are the IT personels.
It is like a small crm which holds the inventory data and prints barcode for.
And also service records for the inventories will be holded.
So it needs to have a basic interface which users can interact easily like a win32 application.

That's why javascript is a "must have" for me.
I don't want users get lost in the pages Smile)

Do you have any other suggestions about security because of using ajax?

#4
[eluser]pickupman[/eluser]
Glad that fixed it up. You much should apply the same security rules you would use without javascript. Basically trust nothing coming in as input. Try to sanitize, trim, and validate the input using form validation class. Depending on the frequency of use, you could look into cross site forging requests (csfr). It's been added in CI 2.0. Your are simply creating a random string in the user's sesssion/cookie, adding as a hidden form field, and check when form is submitted. Just serialize the form with .serialize() to get all inputs and post to CI.
I found it the easiest to return json back from CI. This allows you to return multiple variables back. I use dataResponse => true/false, dataMessage => string, dataHtml => html. I then use jquery to check if the request completed, display a message if necessary, and update the page with any new html.

#5
[eluser]emrah[/eluser]
I've already using your suggestions (trim, input validation) in my project.
That makes me feel more comfortable now.

But this is the first time that I've heard CSFR term. I think I've to do a research on it. Cause I really don't understand what it is Smile

Thanks again for your interest

#6
[eluser]pickupman[/eluser]
It basically makes sure that the request came from a user you have set a session, and active within in the set time. Essentially someone knows your url's and tries to post form data to it, you can check if the user has the random string in their session, and matches the random string in a hidden input field. There are a few libraries/helpers floating around on the boards and wiki.

#7
[eluser]emrah[/eluser]
That make sense now.
I got it.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.