PHP equivalent to Authorized ASP.NET WebMethod (AJAX)?
Rarely, but I have to pay MS a compliment: ASP.NET WebMethod (AJAX) authorization is a dream come true for my pursuit of security and laziness.
Encosia ASP.NET page methods are as secure as you make them , which fully comply with these requirements. ASP.NET actually works for me now. Free at last! (From the noble but disastrous AJAXControlToolkit).
In any case, the problem is that to work. I don't buy MS architecture when LAMP is free there. I'm new to AJAX and I can't seem to find a clear answer on how to resolve AJAX calls for PHP in the same way as Encosia above.
Can anyone suggest a PHP equivalent to what Encosia does in the link above?
Thanks in advance!
More details
Ok, let me be more specific. Encosia's solution above gives 401 people who are not logged in to access the web method. Neat, clean, lightweight. I used to try to use the user's session data for access, but this is, unknowingly for me, forced synchronous mode. Nono.
I need both for my site. I need to be able to give 401 rejections on certain pages if the user is not logged in. I need to allow anyone to call other phps via ajax, regardless of login.
Clarity
Bottom line: I don't want anyone to access some PHP AJAX unless they are logged in. I don't care what the answer is or any other details as long as its "AJAX". How?
Not entirely clear from the question, but if you want to allow listening to your AJAX server side scripts (possibly XML or JSON output) for users who are either deprecated or on the relevant page, then how about adding a session id for your JS AJAX requests? On the server side script, you can check this id from possibly a DB table containing your current sessions.
For added security, you can check IP, cookie, etc. These are all values ββthat you can set when starting a session.
The main thing you need to ask yourself is:
If the user is either logged in or browsing, what kind of database access do you really want / need to grant? Each application will have its own needs. If your server has AJAX listeners, then all you need is a quick look at Firebug (example) to see where your scripts are located and the format of the requests. This could lead to a potential security hole. Make sure all incoming requests are properly handled to remove the possibility of injection attacks.
source to share