duanbin4847
duanbin4847
2010-11-08 15:36
浏览 48
已采纳

如何拒绝直接访问AJAX目录中的文件

I have several pages that call in content via jQuery .ajax. I dont want the content visible on the page so thats why I went with .ajax and not showing/hiding the content. I want to protect the files inside the AJAX directory from being directly accessible through the browser url. I know that PHP headers can be spoofed and dont know if it is better to use an "access" key or try doing it via htaccess.

My question is what is the more reliable method? There is no logged on/non logged user status, and the main pages need to be able to pull in content from the pages in the AJAX directories.

thx

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • drrog9853
    drrog9853 2010-11-08 15:40
    已采纳

    Make a temporary time-coded session variable. Check the variable in the php output file before echoing the data.

    OR, if you don't want to use sessions.. do this:

    $key = base64encode(time().'abcd');

    in the read file: base64decode explode by abcd read the time. Allow 5 seconds buffer. If the time falls within 5 seconds of the stamped request. You are legit.

    To make it more secure, you can change your encrypting / decrypting mechanism.

    点赞 评论
  • douxigai8757
    douxigai8757 2010-11-08 15:45

    Why not have the content be outside the webserver directory, and then have a php script that can validate if the person should see it, and then send it to them.

    So, you have getcontent.php, and you can look at a cookie, or a token that was given to the javascript page and it uses to do the request, and then it will just fetch the real content, set the mime types and stream it to the user.

    This way you can change your logic as to who should have access, without changing any of the rest of your application.

    There is no real difference to having http://someorg.net/myimage.gif and http://someorg.net/myscript.php?token=887799&img_id=ddtw88 to the browser, but obviously it will need to work with GET so a time limited value is necessary as the user can see reuse it.

    点赞 评论
  • dongshenghe1833
    dongshenghe1833 2010-11-08 15:49

    I would drop this idea because there is no secure way to do it.

    Your server will never be able to tell apart a "real" Ajax request from a "faked" one, as every aspect of the request can be forged on client side. An attacker will just have to look into a packet filter to see what requests your page makes. It is trivial to replicate the requests.

    Any solution you work out will do nothing but provide a false sense of security. If you have data you need to keep secret, you will need to employ some more efficient protection like authentication.

    点赞 评论

相关推荐