Scribd Logo
Importer

Bienvenue sur Scribd !

  • PHP - Using AJAX To Secu.

    Transféré par

    rumiasih
    16 vues2 pages
    PHP AJax

    Titre original

    Php - Using AJAX to Secu.

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    PHP AJax

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    16 vues2 pages

    PHP - Using AJAX To Secu.

    Transféré par

    rumiasih
    PHP AJax

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 2

    sign up log in tour help

    Take the 2-minute tour


    Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's
    100% free, no registration required.
    Using AJAX to secure sessions and save messages
    I have been working with PHP sessions and login protected pages for some time, but I want to start using some AJAX for
    managing some actions inside login protected pages (easy way with jQuery).
    Here is what I want to do:
    The user logs in (classic no-AJAX method), and wants to submit a message. I make a request with AJAX to another page,
    where the session is checked and the message is saved.
    Here is how the start page looks:
    <?php
    session_name('NEWSESSION');
    session_start();
    session_regenerate_id(true);
    if(!$_SESSION['user_logged']){
    header("location: login.php");
    }
    $sessionTTL = time() - $_SESSION["timeout"];
    if ($sessionTTL > SES_LENGHT) {
    session_destroy();
    header("location: login.php");
    }
    ?>
    <!-- page header and all other html things here -->
    <div id="returned_message"></div>
    <textarea id="message">TEST</textarea>
    <input type="" id="submit" value="Submit message">
    <script>
    $("#submit").click(function(){
    $.ajax({
    type: 'POST',
    data: {
    action: 'submit_message',
    message: $("#message").val();
    },
    url: '/save.php',
    success: function(data) {
    $('#returned_message').html(data);
    }
    });
    });
    </script>
    And this is save.php where I send the request (and sends a "msg saved" alert):
    <?php
    session_name('NEWSESSION');
    session_name('NEWSESSION');
    session_start();
    session_regenerate_id(true);
    if(!$_SESSION['user_logged']){
    header("location: login.php");
    }
    $sessionTTL = time() - $_SESSION["timeout"];
    if ($sessionTTL > SES_LENGHT) {
    session_destroy();
    header("location: login.php");
    }
    $username = $_SESSION['user_username'];
    if($_POST["action"] == "save_message"){
    /* PHP code for saving message */
    echo "Message saved!";
    }
    ?>
    Is this the right way to do this? And how vulnerable is this (is it more vulnerable than to do it with classic PHP methods, with
    no fancy AJAX things)? All suggestions are welcome.
    php security ajax session
    edited Jun 6 at 18:14
    Jamal
    13.7k 3 54 116
    asked Nov 13 '12 at
    21:44
    SomeoneS
    131 2 6
    1 Answer
    Consider adding User Agent check
    Adding a User Agent check will add another layer of security. This will slow down
    Session Hijacking a bit.
    AJAX alone is not a security issue
    AJAX is no more vulnerable then regular access when it comes to sessions.
    SES_LENGHT is not defined
    The constant is not defined anywhere. Is your code snippet complete? SES_LENGHT
    answered Nov 13 '12 at
    23:22
    user555
    313 1 9


    Tnx for your answer. Regarding SES_LENGHT, it is defined in included file (just i
    removed that include to simplify example and make it more clear). SomeoneS Nov
    14 '12 at 8:30

    Vous aimerez peut-être aussi