The PHP Ajax handler should be secured, not serving calls from anywhere other than the page that the visitor is viewing in the browser (assuming that Apache is not configured to restrict access to the handler). I have designed a security structure with this aim in mind, and would like to know if my approach is good or could be improved. Are there any weaknesses that could be exploited?
The design is quite simple. When the page is constructed for serving, a session cookie is created, and its value is an encrypted token, derived from the client’s IP, and a random salt. The cookie’s value, the encrypted token, is also used as the name of a temporary db record for 60 minutes, and the record’s value is the salt that was used to generate the token.
$ ajaxSalt = bin2hex(openssl_random_pseudo_bytes(30)); // Create random salt $ cookieAndTrans = md5(crypt($ _SERVER['REMOTE_ADDR'], $ ajaxSalt)); // We use cookie value as token setCookie('qnrwp_ajax_cookie', $ cookieAndTrans); // Set session cookie, for JS Ajax caller to echo back to us set_transient('qnrwp_ajax_temp_salt_'.$ cookieAndTrans, $ ajaxSalt, 60 * MINUTE_IN_SECONDS); // Save salt for 60 mins
Receiving the call, the handler will check that the transmitted cookie value matches the cookie value that was set initially. It then uses this value as the name of the temporary db record to call up (if 60 minutes haven’t passed), and uses the value of the record, the salt, to confirm that the IP matches.
// ----------------------- Security check if ($ _POST['qnrwp_ajax_cookie'] !== $ _COOKIE['qnrwp_ajax_cookie']) wp_die(); $ ajaxTrans = get_transient('qnrwp_ajax_temp_salt_'.$ _POST['qnrwp_ajax_cookie']); if (!$ ajaxTrans) wp_die(); if ($ _POST['qnrwp_ajax_cookie'] !== md5(crypt($ _SERVER['REMOTE_ADDR'], $ ajaxTrans))) wp_die();
A couple of things to clarify to avoid confusion:
md5() is primarily used as replacement for
bin2hex(), its weak crypto security just an added bonus, but not being relied upon –
crypt() is used for good encryption.
crypt() is able to generate a salt, but I prefer creating my own as I’ll store it in the temporary record (
set/get_transient() in the code). The salt is quite long, helping avoid clashes between different clients accessing the site at the same time. A clash is still possible, but I think unlikely, and even if it happened, it would not be catastrophic – if the clashing clients share their IP, one of them may find up to 120 minutes available after page load rather than 60, no big deal.
I believe my question is at quite an advanced level and would prefer if those with good knowledge of the subject write answers rather than try to engage in discussion in the comments. That said, if anything is unclear, feel free to ask in the comments. If you see weaknesses in the code, please try to provide concrete suggestions for improvement, rather than merely pointing out the loopholes. The most constructive answer will be accepted. I will wait a few days before accepting.
Please note I’m not open to suggestions of third-party tools or WordPress plugins – this is a case of “rolling my own”.
Thanks in advance!
✓ Extra quality
ExtraProxies brings the best proxy quality for you with our private and reliable proxies
✓ Extra anonymity
Top level of anonymity and 100% safe proxies – this is what you get with every proxy package
✓ Extra speed
1,ooo mb/s proxy servers speed – we are way better than others – just enjoy our proxies!
USA proxy location
We offer premium quality USA private proxies – the most essential proxies you can ever want from USA
Our proxies have TOP level of anonymity + Elite quality, so you are always safe and secure with your proxies
Use your proxies as much as you want – we have no limits for data transfer and bandwidth, unlimited usage!
Superb fast proxy servers with 1,000 mb/s speed – sit back and enjoy your lightning fast private proxies!
99,9% servers uptime
Alive and working proxies all the time – we are taking care of our servers so you can use them without any problems
No usage restrictions
You have freedom to use your proxies with every software, browser or website you want without restrictions
Perfect for SEO
We are 100% friendly with all SEO tasks as well as internet marketing – feel the power with our proxies
Buy more proxies and get better price – we offer various proxy packages with great deals and discounts
We are working 24/7 to bring the best proxy experience for you – we are glad to help and assist you!