Possible Duplicate:
How to authenticate AJAX call?
I have a page ajax_check_user_pass that checks user's username and password through ajax.
Ajax code in this page posts username and password to a php file php_check.php.
The php_check.php checks username and password to match in a database.
How can I be sure that username and password that php_check.php recieves is from ajax_check_user_pass and is not faked by someone?
I have used sessions but it's not working. Also, I know that checking referrer is not a reliable.
Thanks in advance.
The fact is, you don't know who is sending you username's and password's, the fact that they have to enter this information is proof that you don't know who they are, as long as you sanitize the posted information, it should work exactly how you want it to.
Many sites implement a maximum number of attempts, but really that's up to you.
This kind of attacks are called CSRF and they can be avoided by passing a challenge token stored in the session or a cookie with every request a form or ajax call makes on your site and checking it to be valid before doing any further operation.
Read this:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Also make sure to regenerate this token every X minutes or Y pageviews, whatever comes first.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论