Jump to content

Authentication for PHP with AJAX

jcanker

By jcanker
in PHP Coding Help

 Share

Recommended Posts

jcanker Regular Member

jcanker

Posted
Posted

Pardon my noobness, but I'm learning to wrap AJAX into my work and use it to get XML instead of "static" PHP that generates the HTML.  The login/security portion has my head spinning, but it's probably not as difficult as I think and I'm probably just confusing myself. 

 

In the past, for each PHP page in my site, I would perform a quick salted login check based on the username/password stored in the $_SESSION variables.  Perhaps it was a bit overboard to check on each page, but, well, I did it.

 

With AJAX, I *NEED* to ensure that the php resulting from an AJAX POST request won't run if the user isn't authenticated, and I need to ensure that they didn't just somehow force a $_SESSION variable to reflect an authenticated session.  I also need to ensure that someone can't just load up the PHP page on it's own, somehow send a POST to it and run it without being authenticated. 

 

I suppose that beyond the larger picture of "How do I ensure that the user is authenticated, the POST request is authentic, and nobody has forced a change in the $_SESSION stored on the server, I have a few specific questions. 

 

I know that in part I'm confused about the whole cookie/SESSION process.  In my old PHP site, the SESSION number was stored on the cookie on the user's machine.  If the info is sent via AJAX, does the PHP get the SESSION info from the cookie or does it have to be explicitly sent?  With potentially several users sending AJAX requests at the same time, how will my PHP know which SESSION to use for each request?

 

Is is secure enough to set an "Autheticated" flag in $_SESSION once the user is authenticated the first time?  Is it really just as simple as sending a username/salted password hash as AJAX/POST and setting an authenticated flag in the SESSION to ensure that the rest of the AJAX application runs without allowing someone to back-door the PHP?

Link to comment
Share on other sites
l4nc3r Member

l4nc3r

Posted
Posted

Good questions.  I recommend heading over to the manual and reading the section on sessions.

 

My understanding of sessions is that only a session id is stored on the user's computer with cookies, and that id is sent to your php server to get any variables associated with it.  So if your saving a username and password in session variables, the actual values are stored on the server.

 

The only way a session id can be faked is if the user gets some other person's current valid session id, which is next to impossible.

 

It IS therefore safe enough to set a $_SESSION['auth'] variable and counted that as authorized, instead of checking the username and password on every page.

 

It's been a while since I've worked with AJAX and sessions, but I'm fairly sure that sessions are maintained even when an AJAX request is made to them.

 

If on the page you're making a request to you just add a if(empty($_SESSION['auth'])) { redirect... } you'll be fine and no one will be able to hack it.

 

If they ARE authed, be sure to make the necessary checks on the POST data to make sure it's in the form you want it to be in.

 

If either that or the auth fails, you can have the php script your requesting send back an error message to be output.

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

l4nc3r's reply to you is correct. 

 

It might help you to look into the HTTP protocol a bit. 

 

Just to reiterate:  session variables are stored server side.  This is the advantage of using them -- they aren't disclosed.

 

The way the server knows that the client has a session is via the session id.  This is generated at the server and by default, gets set as a cookie.

 

Cookies are passed in the HTTP header.  On every request, the browser will send the full set of cookies it stored on prior requests for that serve domain/uri combination.  So in the setting of the session, the server sends a request for the browser to create the cookie with the session id, and after that the client sends it back on every request.

 

In an "ajax" call there is no difference to the server -- it still looks like a request coming from the client, and cookies are still sent, so the server script can do the same sort of checks for authentication that it would do if this was a non ajax request.  Point of fact, there is nothing special about an ajax request at all -- it's still a GET or POST, and the format of data being returned is irrelevant in regards to authentication questions.

 

 

Link to comment
Share on other sites
jcanker Regular Member

jcanker

Posted
  • Author
Posted

Thank you very much, both of you, for responding.

I understood that Session info was kept server-side and only the  SESSID was kept in the cookie.  I just wasn't sure how this made it back over to the server under AJAX.  I now understand there is no difference and that it's perfectly secure for me to set an authorized flag in $_SESSION.

 

I can sleep better now :)  Thank you!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.