阻止直接访问文件，但允许通过jquery加载功能进行访问

Question

I'm using jQuery to display a certain page to a user through it's .load() function. I am doing this to allow user customization to the website, allowing them to fit it to their needs.

At the moment, I am trying to display the file feed.php inside of a container within main.php ;

I have come across a problem where I would like to prevent direct access to the file (ie: going directly to the path of it ( ./feed.php )) , but still allowing it to be served through the .load() function.

If I use the .htaccess deny from all method for this, I get a 403 on that specific part of the page. I can't find any other solution to this problem; disallowing me to achieve what I want.

This is my current (simplified) script and html :

<script type="text/javascript">
    $("#dock-left-container").load("feed.php"); // load feed.php into the dock-left-container div
</script>

<div class="dock-leftside" id="dock-left-container"></div> // dock-left-container div

If anyone could suggest a solution through .htaccess , php , or even a completely different way to do this, I'd be very grateful!

Thanks in advance.

Answer 1

Please follow below steps to achieve:

1. In the .load function of jquery post a security code.
2. In the Feed.php page place a PHP condition if the posted security_code params found and match with security_code passed in the .load then only allow to access the page otherwise restrict.

Please follow below changes in your existing code to achieve it.

JS

<?php 
    $_SESSION['security_code'] = randomCode();
?>
<script type="text/javascript">
    $("#dock-left-container").load("feed.php", {
       security_code: '<?= $_SESSION['security_code']; ?>'
   }); // load feed.php into the dock-left-container div
</script>

PHP

Place php condition in the top of feed.php

if(isset($_POST['security_code']) && $_POST['security_code'] == $_SESSION['security_code']){
    //Feed.php page's all the stuff will go here
}else{
    echo "No direct access of this page will be allowed.";
}

Answer 2

feed.php :

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    readfile('myfeed.xml');
} else {
    header('HTTP/1.0 403 Forbidden');
}

jQuery sends a HTTP_X_REQUESTED_WITH header by default. This is not, by far, anything remotely secure since HTTP headers are easily sent/spoofed. But it will stop the occasional user trying to access the feed directly.

You can, additionaly, check the $_SERVER['HTTP_REFERER'] header (but, again, this is easily spoofed) and, ofcourse, use your normal session logic to make sure the user is logged on if that's a requirement to access the feed.

Either way: there's no way to make this 'water tight'. If your browser can (should be able to) access the feed in some way then it's simply a matter of opening the debugger, having a look at the actual request sent in the network tab and sending the exact same headers/request to get to the file from, say, Curl. Actually, you will see the response of the request (ie the actual feed) in the debugger as well.

Repeat after me: if my (or a user's) browser can access the feed 'from jQuery' (via an AJAX request or whatever) then the feed is accessible to that user if he's even just a little bit more persistent than giving up immediately. Only using a session will keep out 'unauthorized' users because it relies on being logged in. After having logged in the request is visible no matter what and that request can be 'forged' to be sent from any other application no matter what.