Protecting mySQL/PHP data which creates Google Map content

I have created a Google Map which uses data from a mySQL database. The records are retrieved and dumped in php using .json_encode. This is then parsed into Javascript with AJAX for Google Maps to create markers and other information.

I would like to secure the php file which is pretty easily accessible if you so happen to know the name of the file. One suggestion is to limit access to the script by authenticating the client using session cookies. With my novice understanding; is there any way to limit access to the php file directly by authentication and otherwise indirectly verifying the presence of a session cookie in the AJAX request.
Nehemiah1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobOwner (Aidellio)Commented:
First off you can restrict access to that file through your .htaccess rules:
SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=

Open in new window

0
RobOwner (Aidellio)Commented:
But if you know what you're doing its easy enough to set up a request in the console of the browser, did it recently in fact. Will find the question as it may be relevant.
So people who want to get in, will get in.
Forcing the user to login gives you that little bit more control over your data but nothing is ever water tight. You just have to make it VERY hard to crack to the point people will give up.
0
Nehemiah1Author Commented:
But how do you force the user to login when attempting to access the file directly and accept access within the AJAX call when detecting the presence of a session cookie (which is generated on the page where the map is placed)?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

RobOwner (Aidellio)Commented:
The session cookie is determined by the server not the client so you should also be able to detect that in your "data" php.

I'm not sure how you're doing the authentication but when I wanted to secure a page I would include a simple php file "authentication.php" at the top of the script that checked for the session.  If it wasn't there it dies and the requested page is never served.  That's regardless of ajax or otherwise.
0
Ray PaseurCommented:
0
Nehemiah1Author Commented:
Ok so the first thing i will attempt is to restrict browser access via .htaccess.

The next thing (please correct if necessary), i will have the map page create a session cookie in which the the 'data.php' file will check for this session (via an authentication.php include). If it cannot be found, the rest of the script will not be executed.

Does this sound right?

So in this case there is no requirement for human authentication since this is handled by the existence of the session cookie?
0
Ray PaseurCommented:
It sounds to me like you're trying to secure the background script (the one called by AJAX requests) so that it cannot be called directly.  The PHP session sounds like a fairly good way to secure this.  The map page will use session_start() at the top of the script and put some kind of authentication value into the $_SESSION array.  The background script will use session_start() at the top of the script and will test for the authentication value in the $_SESSION array.  The attacker will need to first load your map page in order to start the session correctly, then he will be able to return the session cookie as he makes calls to the background script.  If your design is such that you would need to make repeated AJAX calls to the background script, you're a little more exposed.  If you expect one and only one background call per map page load, the background script can delete the authentication value from the session as it runs, making this a one-time token.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RobOwner (Aidellio)Commented:
What Ray said, and that's right about the rest of the authentication script not running if the session variable aren't present.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.