PHP - How to determine if request is coming from a specific file
I have fileA.php on SERVER_A and fileB.php on SERVER_B
fileB.php makes a curl request to fileA.php for it's contents
How can fileA.php determine that the request is coming specifically from fileB.php?
--
I was thinking about sending the $_SERVER['SCRIPT_NAME'] in fileB.php to fileA.php but since someone can go into fileB.php or any file 开发者_StackOverflowin general and just do $_SERVER['SCRIPT_NAME'] = 'fileB.php'; it's not really that secure.
So how can I determine, for security reasons, that the request is coming from a specific file on a different server?
You can't, reliably. You can try setting a HTTP header and verifying that on the other side; it's not fool-proof, but it's better than most.
Impossible, because of your statement:
"since someone can go into fileB.php"
Why not set up a secret token, and verify it on the receiving end?
// fileB.php
$url = "http://example.com/fileA.php"
. "?from=fileB"
. "&token=" . sha1('fileB' . 'myaw3som3_salt!')
;
// then make the cURL request.
// fileA.php
if (sha1($_GET['from'] . 'myaw3som3_salt!') != $_GET['token']) {
die();
}
This is a simplistic example here, but you get the idea.
Once you request outside your server you have really no control. If fileA on the other server has the possibility of man-in-the-middling fileB, you need to rethink your security model. What's the specific situation?
One way would be to check the
$_SERVER['HTTP_REFERER']
variable in PHP, but it is the browser's decision to populate this so it can't be fully trusted.
Little can be done if a 3rd party has access to fileB.php. REFERER gives you no protection. REMOTE_ADDR is not as trivial to spoof, that might give you some assurance that the request is legit.
I think nickf was spot on, but just to expand on his answer a little bit, here's what I would do:
- fileB.php on Server1 requests fileC.php on Server2
- fileC.php on Server2 returns a randomly-generated salt, stores it in a file or database with a timestamp
- fileB.php on Server1 requests fileA.php on Server2, and sends as its request body a preconfigured key, hashed, appended with the random salt and hashed again (e.g. sha1(sha1('mypassword') . $salt))
- fileA.php checks if a salt has been generated in the last 60 seconds, if not returns an error
- fileA.php performs the same hash with its last random salt and preconfigured key - sha1(sha1('mypassword') . $salt) again, which is compared with the request body as sent by fileB.php. If they match, fileA.php grants access to fileB.php.
- fileA.php deletes the last salt that was generated.
精彩评论