how can I reliably check that requests to my service file have come from my website?

I have a service.php class that I use to service AJAX calls from my website. To prevent other people accessing the service using PHP CURL I would normally check the request has come from mysite, and if they are not then just redirect to my home page e.g.

if($_SERVER['HTTP_REFERER'] != "http://www.mysite.com"){
   header('location: http://www.mysite.com');
   exit;
}

I read in the PHP holy b开发者_StackOverflow社区ible:

http://www.php.net/manual/en/reserved.variables.server.php

that

"Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted."

So if this method is not reliable, my question is how can I reliably check that requests to my service file have come from my website?

Thanks for any help you can provide!

You need to create a small session cookie, which includes time of page request, IP of the requester and some secret string which changes from time to time (i.e. is valid for an hour or so). The cookie must be encrypted. Now when the AJAX call is made, you check the cookie, compare the IP, check the secret string and act accordingly.

But to say the truth, this will make hacker's task more complicated, but not impossible. So you'd need to add HTTPS to the equation, and even then a good troyan on client's computer would make false request possible. But for most scenarios the above + HTTPS would drive the attacker away.

You can't easily I think. What you could do is make your own files always post some sort of passphrase. Say you sent some data (datetime?), and a hash of "datetime+secretstring"

As only you know the secretstring, only you can create the hash. Recreate the hash in your 2nd file using the received datetime, and check if the sent hash is correct.

Requests from other sites will not have your hash and datetime, or at least not the correct one.