I use my JavaScript client (say, foo.js
) to call my php Ajax code in the server (say, bar.php
). This works perfectly most of the time, but once in a while I get back HTTP 403 (Forbidden) instead of the usual 200 (OK). This happens using exactly the same code, same parameters, etc.
Why is that happening? How can I fix it? Is there a chance it's happening due to some action inside my bar.php
code? How can I log the reason for it?
The foo.js
client:
function postAjax(url, queryString, callback) {
var x = new XMLHttpRequest();
x.onreadystatechange = function() {
if (x.readyState === 4) { // 4=after HTTP response content finished loading
if (x.status === 200) callback(true, x.responseText);
else callback(false, x.status);
}
};
x.open('POST', url, true);
x.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
x.setRequestHeader('Content-type','application/x-www-form-urlencoded');
x.send(queryString);
}
var params = 'aaa=xxx&bbb=yyy';
postAjax('bar.php', params, myCallback);
function myCallback(ajaxStatus, ajaxResponse) { /* do something */ }
The bar.php
server:
<?php
header('Content-Type: text/plain');
$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
if ($isAjax) {
/* Do something with $_POST['aaa'] and $_POST['bbb'] */
echo 'Success';
}
else {
echo 'Error';
}
?>
New info appended:
Browser Console (in this example Firefox):
When all is good (most of the time):
+ POST http://example.com/bar.php 200 OK ZZZms
When error (eg, after the 7th time the last I tried):
+ POST http://example.com/bar.php 403 Forbidden X ZZZms
and I get back 403 in ajaxResponse, which comes from x.status
Expanding the '+' in the Firefox console, I see the response:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /bar.php
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
Looking at the Apache Raw Accwss Log (thru cPanel), I see a similar POST row for all, with the status changed from 200 to 404 in the 7th test:
<my IP> - - [17/Jan/2015:09:55:50 -0500] "POST /bar.php HTTP/1.1" 404 - "<my test url>" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"
"You don't have permission to access" ???
How come I have permission 6 times but not the 7th time?
Looking at the Apache Error Log (thru cPanel) for the same time, I see the row:
[Sat Jan 17 09:55:50 2015] [error] [client <my IP>] File does not exist: /home/<my user>/public_html/403.shtml, referer: <my test url>
Did some thorough research. It's... mod_security !!!
Look at http://www.opensourceforu.com/2011/08/securing-apache-part-10-mod_security/ , search for 'SecFilterScanPOST'. My 'aaa' posted variable serves as some random token, and once in a while had a value filtered by this mod_security mechanism.
This was fixed following a chat with the host support. Initially I thought I could solve it myself by editing some .htaccess file(s) appropriately, but eventually it appeared I needed their assistance.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.