In that case, referer is for authentication, and id is for authorization, I think On Fri, Feb 12, 2010 at 6:23 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > On Fri, 2010-02-12 at 18:25 -0500, Ryan Sun wrote: > > authenticate by remote domain name or remote ip > > $_SERVER['HTTP_REFERER'] > > then your clients will not have to put their username/password in clear texthttp://www.mydomain.com?h=300&w=250 > and you will just check if you have their domain on your list > > I'm not sure if there is better one but > " 'HTTP_REFERER' > The address of the page (if any) which referred the user agent to > the current page. This is set by the user agent. Not all user agents > will set this, and some provide the ability to modify HTTP_REFERER as > a feature. In short, it cannot really be trusted. " > > > On Fri, Feb 12, 2010 at 4:26 PM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > > Ashley Sheridan wrote: > >> > >> On Fri, 2010-02-12 at 16:12 -0500, Robert Cummings wrote: > >> > >>> John Allsopp wrote: > >>>> > >>>> Hi everyone > >>>> > >>>> There may be blinding bits of total ignorance in this so don't ignore > >>>> the obvious. > >>>> > >>>> This is a security question, but a sentence of background: I'm writing > >>>> software for a mapping/location website and I want to be able to provide > >>>> something others can plug into their website that would display their map. > >>>> > >>>> So I'm providing a URL like > >>>> http://www.mydomain.com?h=300&w=250&username=name&password=password > >>>> > >>>> The idea is they can define their own height and width and it plugs in > >>>> as an iframe. > >>>> > >>>> That takes the username and password and throws it over web services to > >>>> get back the data from which we can create the map. > >>>> > >>>> My question (and it might be the wrong question) is how can I not give > >>>> away the password to all and sundry yet still provide a self-contained URL? > >>> > >>> MD5() (or SHA()) hash the information and supply that along with the > >>> settings. Then you know it was generated by your site. So you can do the > >>> following: > >>> > >>> <?php > >>> > >>> $height = 300; > >>> $width = 250; > >>> $username = 'username'; > >>> $key = md5( "SECRET_SALT-$heigh-$width-$username" ); > >>> > >>> $url = > >>> "http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key"; > >>> > >>> ?> > >>> > >>> Then when you get this URL via the iframe, you re-compute the expected > >>> key and then compare it against the given key. Since only you know the > >>> SECRET_SALT value then nobody should be able to forge the key. > >>> > >>> Cheers, > >>> Rob. > >>> -- > >>> http://www.interjinn.com > >>> Application and Templating Framework for PHP > >>> > >> > >> > >> What about requiring them to sign in the first time to use your service, > >> and then give them a unique id which i tied to their details. You could > >> then get them to pass across this id in the url. You could link their > >> account maybe to some sorts of limits with regards to what they can > >> access maybe? > > > > Presumably they ARE logged in when you create this URL for them... otherwise > > someone else could generate it :) > > > > Cheers, > > Rob. > > -- > > http://www.interjinn.com > > Application and Templating Framework for PHP > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > I think Google does both the referrer check coupled with an id passed in > the URL. At least, this is what it did the last time I embedded one of their > maps. > > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > >