Sessions-DB http404

[Entice]

So I have this weird set up:

file.php
index.php
/site/templates/test.php

From test.php, I perform an ajax call to file.php. For the most part, I can access the API and use everything properly in file.php. But when I check in in the  (Admin > Setup > Sessions,) it shows "/http404/" for the page viewed by that session. It doesn't affect anything from what I can tell, but can't seem to figure out why it always returns a http404 when I include the index.php inside file.php. I have a feeling it's because that's the last file that gets called when home.php is rendered as the ajax is done on page load. I expected to see /test/ instead.

Not sure if anyone else has seen this as well. Also, for the most part, the entire site is self contained and in hindsight, I don't see any reasons why I couldn't have placed file.php in the templates folder. Is what I currently have alright or would it be a more ideal set up to move it to the templates folder?

[Robin S]

8 minutes ago, Entice said:

I don't see any reasons why I couldn't have placed file.php in the templates folder.

You probably did that because PW blocks direct access to PHP files inside the /site/ directory.

If you are considering making a change to your site I think it would be better put the contents of file.php into a PW template file and access it as a page at mydomain.com/file/ or whatever. Also no need to bootstrap PW if you do it that way.

[Entice]

I set this up a long time ago, but I think you're right. I must've ran into an issue trying to access the file via ajax directly inside the site directory, hence why I had moved it up in the beginning. I don't know why I didn't think of adding it as a template, that does make sense.

If I were to do that, does if ($config->ajax) take into account if it was loaded by PW itself and not some external file outside the site? I assume something like that would run into XSS issues if it was done with ajax.

Thanks Robin.

[Robin S]

2 minutes ago, Entice said:

If I were to do that, does if ($config->ajax) take into account if it was loaded by PW itself and not some external file outside the site?

You could have the template throw a 404 if it is not an ajax request, but I don't think there is any special security provided by $config->ajax. Putting your ajax response code into a template makes it no more or less secure than how you have it currently. Others here can probably advise you better about security than I can, but I think you'd need proper authentication if your code is returning something sensitive.

[LostKobrakai]

All $config->ajax does is checking for the request header "X-Requested-With", which is not even a real standard. It is included in jquery's ajax tools by default, but most modern ajax libraries don't do that anymore. There's nothing more to it.