Ashley Sheridan wrote:
On Fri, 2010-02-12 at 16:12 -0500, Robert Cummings wrote:
John Allsopp wrote:
Hi everyone
There may be blinding bits of total ignorance in this so don't ignore
the obvious.
This is a security question, but a sentence of background: I'm writing
software for a mapping/location website and I want to be able to provide
something others can plug into their website that would display their map.
So I'm providing a URL like
http://www.mydomain.com?h=300&w=250&username=name&password=password
The idea is they can define their own height and width and it plugs in
as an iframe.
That takes the username and password and throws it over web services to
get back the data from which we can create the map.
My question (and it might be the wrong question) is how can I not give
away the password to all and sundry yet still provide a self-contained URL?
MD5() (or SHA()) hash the information and supply that along with the
settings. Then you know it was generated by your site. So you can do the
following:
<?php
$height = 300;
$width = 250;
$username = 'username';
$key = md5( "SECRET_SALT-$heigh-$width-$username" );
$url =
"http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key";;
?>
Then when you get this URL via the iframe, you re-compute the expected
key and then compare it against the given key. Since only you know the
SECRET_SALT value then nobody should be able to forge the key.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
What about requiring them to sign in the first time to use your service,
and then give them a unique id which i tied to their details. You could
then get them to pass across this id in the url. You could link their
account maybe to some sorts of limits with regards to what they can
access maybe?
Presumably they ARE logged in when you create this URL for them...
otherwise someone else could generate it :)
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
