ajax - How can I restrict access to some PHP pages only from pages within my website?

Question

I have in my website a PHP page which retrieves data from my database to be presented in my website. This page is called via AJAX. How can I restrict the access to it only from pages within my website so users who wants to abuse it and get this data not from the website (e.g. posting HTTP request from their server) itself won't be able to do so ?

Answer 1

This is what I do,

1. On your website, create a secret string. I use the HMAC($_SERVER['REMOTE_ADDR'], key).
2. Write the secret in a Javascript var.
3. On the AJAX call, pass this string as a parameter.
4. On the AJAX server, do the hash again. If it's matches the parameter, the call is from your page.

EDIT: Code examples,

In your website, you do this,

$key = 'supersecretkey'; // This is your security, don't expose this
$nonce = rand();
$timestamp = time();
$signature = hash_hmac('sha1', $_SERVER['REMOTE_ADDR'] . $nonce . $timestamp, $key);

Print out the vars to the page,

<script type="text/javascript">
<?php
echo "  var signature = '" . $signature . "';
";
echo "  var nonce = '" . $nonce . "';
";   
echo "  var timestamp = '" . $timestamp . "';
";
?>
</script>

When you make AJAX call, pass the 3 parameters to the server,

  http://example.com?signature=...&nonce=...&timestamp=...

On the AJAX server, do the calculation again,

$key = 'supersecretkey'; // This is your security, don't expose this
$nonce = $_REQUEST['nonce'];
$timestamp = $_REQUEST['timestamp'];
$signature = hash_hmac('sha1', $_SERVER['REMOTE_ADDR'] . $nonce . $timestamp, $key);

if ($signature == $_REQUEST['signature'])
   // the call if from my page.

You can also chech timestamp for currency and nonce for replay (need session or data store).