SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Wizard
    Join Date
    Jan 2005
    Location
    blahblahblah
    Posts
    1,447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    verifiy incoming request

    Hello,

    ExternalSite sends a request to my site. Is there a way to verify the request source, and make sure it's coming from ExternalSite? I don't have access to ExternalSite server. I know that $_SERVER isn't of any help in that case, so I guess it's a more complicated scenario that awaits me.

    Regards,

    -jj.

  2. #2
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use $_SERVER['HTTP_REFERER'] to identify the referral link from where the request is coming.

  3. #3
    SitePoint Wizard
    Join Date
    Jan 2005
    Location
    blahblahblah
    Posts
    1,447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It can't be trusted, can it?

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I agree with you. But I don't know any other reliable method to track viewer's path.

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I assume external site has a set IP address? Just verify the IP address.
    As long as the enternal site is doing the request and not in the form of an iframe.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #6
    SitePoint Wizard
    Join Date
    Jan 2005
    Location
    blahblahblah
    Posts
    1,447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The form is sent from the external site. It could be anyone filling this form and posting it directly to my website. I'm trying to find if, in that scenario, it is possible to know if the form has been filled on ExternalWebsite and sent from it. I guess a token will be necessary.

  7. #7
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    You would need a token that is generated for each request that only you and the external site would know how to generate. Otherwise, no there is no way to reliably verify the request was from some form on a paticular site.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  8. #8
    SitePoint Wizard
    Join Date
    Jan 2005
    Location
    blahblahblah
    Posts
    1,447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How would such a token be generated? I can't understand how two different servers could come up with the same token.

    What about a key that both sites would share?

  9. #9
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The shared key would be the salt (php salt) the way you then create the rest of some convoluted key is up to you, its usually done with some other factor such as the date and some esoteric PHP functions.

  10. #10
    SitePoint Wizard
    Join Date
    Jan 2005
    Location
    blahblahblah
    Posts
    1,447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would really be interested in knowing more. I must admit that I'm a bit lost and wouldn't know where to start. I don't like to do that, but could ou show me some code?

    1) How would you create the salt, share it, store it?

    2) How would you create the key, store it, share it?

    Why couldn't I send some sort of password using POST? It could be intercepted?



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •