ajax request detect caller

kante

I have a form that sends a post to a php script using ajax.

I'd like to prevent this script to be called from other sources than the one it is supposed to be called from...

is it a good idea to test the source from $_SERVER['HTTP_REFERER']?

laserlight

kante wrote:
I have a form that sends a post to a php script using ajax.

I'd like to prevent this script to be called from other sources than the one it is supposed to be called from...

Use the CSRF token technique. See:
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
Cross-Site Request Forgeries

kante wrote:
is it a good idea to test the source from $_SERVER['HTTP_REFERER']?

You could, but it is not as secure.

bradgrafelman

Just to elaborate on using HTTP_REFERER:

It's generally recommended that you do not depend on this Referer header for any reason. For one, it isn't a required header, so it's possible that a user's browser is configured not to send it.

Second, it doesn't add any security because this header can easily be modified/altered at will by the user.

kante

many thanks.... but do you think it is necessary to spend time applying a CSFR prevention in a registration or login environment? (talking of community system... not money involved)

laserlight

That is a decision for you to make since we do not know what are the consequences if someone does try something funny.