authenticate by remote domain name or remote ip $_SERVER['HTTP_REFERER'] then your clients will not have to put their username/password in clear text http://www.mydomain.com?h=300&w=250 and you will just check if you have their domain on your list I'm not sure if there is better one but " 'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted. " On Fri, Feb 12, 2010 at 4:26 PM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > Ashley Sheridan wrote: >> >> On Fri, 2010-02-12 at 16:12 -0500, Robert Cummings wrote: >> >>> John Allsopp wrote: >>>> >>>> Hi everyone >>>> >>>> There may be blinding bits of total ignorance in this so don't ignore >>>> the obvious. >>>> >>>> This is a security question, but a sentence of background: I'm writing >>>> software for a mapping/location website and I want to be able to provide >>>> something others can plug into their website that would display their map. >>>> >>>> So I'm providing a URL like >>>> http://www.mydomain.com?h=300&w=250&username=name&password=password >>>> >>>> The idea is they can define their own height and width and it plugs in >>>> as an iframe. >>>> >>>> That takes the username and password and throws it over web services to >>>> get back the data from which we can create the map. >>>> >>>> My question (and it might be the wrong question) is how can I not give >>>> away the password to all and sundry yet still provide a self-contained URL? >>> >>> MD5() (or SHA()) hash the information and supply that along with the >>> settings. Then you know it was generated by your site. So you can do the >>> following: >>> >>> <?php >>> >>> $height = 300; >>> $width = 250; >>> $username = 'username'; >>> $key = md5( "SECRET_SALT-$heigh-$width-$username" ); >>> >>> $url = >>> "http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key";; >>> >>> ?> >>> >>> Then when you get this URL via the iframe, you re-compute the expected >>> key and then compare it against the given key. Since only you know the >>> SECRET_SALT value then nobody should be able to forge the key. >>> >>> Cheers, >>> Rob. >>> -- >>> http://www.interjinn.com >>> Application and Templating Framework for PHP >>> >> >> >> What about requiring them to sign in the first time to use your service, >> and then give them a unique id which i tied to their details. You could >> then get them to pass across this id in the url. You could link their >> account maybe to some sorts of limits with regards to what they can >> access maybe? > > Presumably they ARE logged in when you create this URL for them... otherwise > someone else could generate it :) > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
