SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast gregdbowen's Avatar
    Join Date
    Jun 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Adding better security than HTTP_REFERRER

    I have an html script that calls a PHP page, which returns database info as a JSON array.

    I do not want people to look at my source, see the name of the php file, and run it from their browser to see the contents of the JSON array.

    I put code in the php file that if the referring site is NOT from the html file's directory to exit and not process the request.

    This works great - the HTML file calls the PHP and the data returns, but if you call the PHP from any other browser it exits without exposing any data (afaik)

    However, I know that HTTP_REFERRER can be easily spoofed - Does anyone know of a way that I can have the PHP file know for sure where requests are coming from, or better ONLY allow requests from a specific URL?

    Greg Bowen | Founder / Lead Dev
    Fluidlab
    PUBLISHING TOOLS FOR WORDPRESS
    http://FluidlabPro.com @FluidlbPro

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    You can do layer upon layer upon layer of obscurity. But it is not going to make it any more secure. Because the data will get to the user regardless of what you do. If you do not want user to have this data, do not put it online. Period. So to answer all your questions....no. But I am curious, if you are showing the user this data already why are you concerned with not letting them see the raw JSON?
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Enthusiast gregdbowen's Avatar
    Join Date
    Jun 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have a music player in HTML that calls a PHP file that accesses a DB and returns the URL of mp3s that play in a player. I didn't want people to run the php script and have a full list of the mp3s on my server. Not really that big of a deal, it is all non-RIAA liberated music anyway - Also just trying to learn.

    The way the player works, you can not view source and see the JSON data - it stays in variables. I really do not understand how all of this works 100% - but it seemed that if the PHP would only run if called from the same URL as the HTML, then no-one could run the PHP - only an HTML file on the same server at itself.

    Would it be possible to see the JSON data in the HTML doc that is running beyond view source?

    Greg Bowen | Founder / Lead Dev
    Fluidlab
    PUBLISHING TOOLS FOR WORDPRESS
    http://FluidlabPro.com @FluidlbPro

  4. #4
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Maybe include a session token?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  5. #5
    SitePoint Enthusiast gregdbowen's Avatar
    Join Date
    Jun 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would need to have them login for session variables to work, no?

  6. #6
    SitePoint Enthusiast PHP_Adam's Avatar
    Join Date
    Jan 2009
    Location
    West Yorkshire, UK
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HTTP_REFFERER is not security, its far from it. It is sent from the users computer to your server, this means that the user can change the value to what they want. I could bypass your "security" with one line in PHP_Curl, so you asked a good quesiton.

    The easy'ist way is to provide a SESSION TOKEN when they visit the valid calling page, then on the JSON script check that the TOKEN is still valid.

    You could also on the calling page, send a "key" via the URL request and check that its valid. This "key" changes every 24 hours, so if someone does game your system it will be a bit more of a pain.

    You could run an IP check (though not advisable).

    Encode the JSON and Decode it on calling page?
    ------
    The best solution is not to secure the data, as everything is breakable and your just delaying the inevitable, if someone wants it and are determined they could get it.

    -----
    Quote Originally Posted by gregdbowen View Post
    I would need to have them login for session variables to work, no?
    This is incorrect, the only need to visit the homepage (calling page) give them the session, then check it on the JSON request.

  7. #7
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Greg, if you don't want people to look at your code, don't put it on the Internet.

    Using stuff like Firebug's Net console, or Live HTTP Headers, I can view all traffic and headers between my browser and your server.

    If you want to stop people stealing your MP3's, then you'll have to build some sort of login system, and pass everything through a session check (including the MP3's themselves).

  8. #8
    SitePoint Enthusiast gregdbowen's Avatar
    Join Date
    Jun 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wow awesome - thanks for the quick replies - Another issue I see - is that someone could copy my source - host it on their own site with new css and run a clone of my player and stream my mp3s.

    I like the idea of sending a key - The way I can see to do this is to set up a cron scrip to write a random number to a file daily, and have a piece of inline php in the HTML doc write in the key to the PHP request, and the PHP would read the same file looking for a match - So as long as the location of the file with the random file is kept secret - My site could only be hijacked for one day. Is this the best way to do the key method?

    As far as session tokens - wouldn't a spoofer be able to send a session variable as well? I will research this more - I think I am missing something here.

    Immerse: I am not going to have people log in. I am as much as anything trying to make a good faith effort to prevent people from downloading the mp3s that I am streaming. I realize that if someone is serious, they will find a way.

    Server side script is secure, no? People can't see the contents of inline PHP can they?

  9. #9
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,789
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by gregdbowen View Post
    I am as much as anything trying to make a good faith effort to prevent people from downloading the mp3s that I am streaming.
    If you use proper streaming software on the server then it shouldn't be possible for anyone to actually download a copy unless they record the streamed file again on their system. They'd then need to figure out how to get their recorder software to record the streamed info rather than recording from a mic or aux in input.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #10
    SitePoint Enthusiast gregdbowen's Avatar
    Join Date
    Jun 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thx Felgall - Capturing audio streams is very easy to do. Anything you hear on your computer can be captured - so people will get the mp3s if they want them.

    I have gotten the key system working (thx! PHP_Adam) - I now only need to update the key file on my server on an interval.

    I guess there is no way to prevent people from running the php scripts - I though there would be a way to have a php only run if the HTML that calls it is on the same (or specified) server.

    Not sure about checking IP - encoding and decoding the JSON results is intriguing.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •