Jump to content

[SOLVED] Backoffice ajax call authentication


Recommended Posts

I've written module (prestashop 1.4.x) with tab in backoffice and it works fine.


File structure looks like that:




/modules/mymodule/[... other files ...]


Now I want to make ajax call to file ajax.php using uri: "/modules/mymodule/ajax.php".

Of course there's no problem with ajax call itself :)

I want this file only check if user is logged in backoffice and do some simple stuff without initializing all admin functions.

The problem is i can not verify if user is logged in backoffice (admin cookie path is set to "/admin").


The only way I found is to call admin tab or module configuration page (eg. index.php?tab=AdminMymodule&token=blabla&ajax) but it loads all admin features and is about 4-5 times slower.


Im just curious, does anyone have nice solution for such ajax calls in backoffice?

Edited by ziq (see edit history)
Link to comment
Share on other sites

Hello ziq. I know what your problem is. The fact is that it's not feasible to access to a cookie with the admin path from a different path.


So, all possible solutions will be "workarounds". And I can suggest you one:


I'd use a strategy like this:

On your admin-hook module or tab content generation function, include an encrypted token, along with an employee ID, and send both parameters to your ajax php file. For example:


//inside the tab content generator
global $cookie;
$idEmployee = (int)$cookie->id_employee_logged;
$timeGenerated = time();
$cryptToken = md5($idEmployee . _COOKIE_KEY_ . $timeGenerated);

//this is a sample, it has to be located inside a <script> tag, it performs an ajax call using jQuery
$html .= '$.ajax({
  type: "POST",
  url: "'._MODULE_DIR_.'/mymodule/ajax.php",
  data: "cryptToken=' . $cryptToken . '" +
  "&idEmployee=' . $idEmployee . '"+
  "&timeGenerated='.$timeGenerated.'"  //and other data parameters
//other ajax parameters...


On your ajax php file, check that you are receiving the expected data as is shown below:


//settings.inc.php has the define for _COOKIE_KEY_ ... it has only around 20 defines sentences, so it won't take too much time to load.
require(dirname(__FILE__). '/../../config/settings.inc.php');
//you can define this value as you whish.
$MAX_TIME = 60*10;
$idEmployee = (int)$_POST['idEmployee'];
$timeGenerated = (int)$_POST['timeGenerated '];
//Generate the expected token
$cryptToken = md5($idEmployee . _COOKIE_KEY_ . $timeGenerated);
//validate that the token is correct and the time has passed less than MAX_TIME
if($_POST['cryptToken'] == $cryptToken AND ((time()-$timeGenerated)<$MAX_TIME) ) {
 //do your ajax stuff here :-)


Of course, this approach can't verify that the employee is still logged... but at least you can limit the max_time to allow the request since the orginal page was loaded. It's suppossed to work ok most of the times. So I hope it help you to do what you want. If this has answered to your question, you can edit the post and mark it as solved. :)


Best Regards,





Check this cool modules (must have) :

LoginAsCustomer for PS1.5

Cart Details

Edited by axelmdp (see edit history)
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...