开发者

PHP - How to determine if request is coming from a specific file

I have fileA.php on SERVER_A and fileB.php on SERVER_B

fileB.php makes a curl request to fileA.php for it's contents

How can fileA.php determine that the request is coming specifically from fileB.php?

--

I was thinking about sending the $_SERVER['SCRIPT_NAME'] in fileB.php to fileA.php but since someone can go into fileB.php or any file 开发者_StackOverflowin general and just do $_SERVER['SCRIPT_NAME'] = 'fileB.php'; it's not really that secure.

So how can I determine, for security reasons, that the request is coming from a specific file on a different server?


You can't, reliably. You can try setting a HTTP header and verifying that on the other side; it's not fool-proof, but it's better than most.


Impossible, because of your statement:

"since someone can go into fileB.php"


Why not set up a secret token, and verify it on the receiving end?

// fileB.php

$url = "http://example.com/fileA.php"
     . "?from=fileB"
     . "&token=" . sha1('fileB' . 'myaw3som3_salt!')
;
// then make the cURL request.


// fileA.php
if (sha1($_GET['from'] . 'myaw3som3_salt!') != $_GET['token']) {
    die();
}

This is a simplistic example here, but you get the idea.


Once you request outside your server you have really no control. If fileA on the other server has the possibility of man-in-the-middling fileB, you need to rethink your security model. What's the specific situation?


One way would be to check the

$_SERVER['HTTP_REFERER']

variable in PHP, but it is the browser's decision to populate this so it can't be fully trusted.


Little can be done if a 3rd party has access to fileB.php. REFERER gives you no protection. REMOTE_ADDR is not as trivial to spoof, that might give you some assurance that the request is legit.


I think nickf was spot on, but just to expand on his answer a little bit, here's what I would do:

  • fileB.php on Server1 requests fileC.php on Server2
  • fileC.php on Server2 returns a randomly-generated salt, stores it in a file or database with a timestamp
  • fileB.php on Server1 requests fileA.php on Server2, and sends as its request body a preconfigured key, hashed, appended with the random salt and hashed again (e.g. sha1(sha1('mypassword') . $salt))
  • fileA.php checks if a salt has been generated in the last 60 seconds, if not returns an error
  • fileA.php performs the same hash with its last random salt and preconfigured key - sha1(sha1('mypassword') . $salt) again, which is compared with the request body as sent by fileB.php. If they match, fileA.php grants access to fileB.php.
  • fileA.php deletes the last salt that was generated.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜