Re: How to secure this

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In that case, referer is for authentication, and id is for authorization, I
think

On Fri, Feb 12, 2010 at 6:23 PM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx>wrote:

>  On Fri, 2010-02-12 at 18:25 -0500, Ryan Sun wrote:
>
> authenticate by remote domain name or remote ip
>
> $_SERVER['HTTP_REFERER']
>
> then your clients will not have to put their username/password in clear texthttp://www.mydomain.com?h=300&w=250
> and you will just check if you have their domain on your list
>
> I'm not sure if there is better one but
> " 'HTTP_REFERER'
>     The address of the page (if any) which referred the user agent to
> the current page. This is set by the user agent. Not all user agents
> will set this, and some provide the ability to modify HTTP_REFERER as
> a feature. In short, it cannot really be trusted. "
>
>
> On Fri, Feb 12, 2010 at 4:26 PM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
> > Ashley Sheridan wrote:
> >>
> >> On Fri, 2010-02-12 at 16:12 -0500, Robert Cummings wrote:
> >>
> >>> John Allsopp wrote:
> >>>>
> >>>> Hi everyone
> >>>>
> >>>> There may be blinding bits of total ignorance in this so don't ignore
> >>>> the obvious.
> >>>>
> >>>> This is a security question, but a sentence of background: I'm writing
> >>>> software for a mapping/location website and I want to be able to provide
> >>>> something others can plug into their website that would display their map.
> >>>>
> >>>> So I'm providing a URL like
> >>>> http://www.mydomain.com?h=300&w=250&username=name&password=password
> >>>>
> >>>> The idea is they can define their own height and width and it plugs in
> >>>> as an iframe.
> >>>>
> >>>> That takes the username and password and throws it over web services to
> >>>> get back the data from which we can create the map.
> >>>>
> >>>> My question (and it might be the wrong question) is how can I not give
> >>>> away the password to all and sundry yet still provide a self-contained URL?
> >>>
> >>> MD5() (or SHA()) hash the information and supply that along with the
> >>> settings. Then you know it was generated by your site. So you can do the
> >>> following:
> >>>
> >>> <?php
> >>>
> >>> $height = 300;
> >>> $width = 250;
> >>> $username = 'username';
> >>> $key = md5( "SECRET_SALT-$heigh-$width-$username" );
> >>>
> >>> $url =
> >>> "http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key";;
> >>>
> >>> ?>
> >>>
> >>> Then when you get this URL via the iframe, you re-compute the expected
> >>> key and then compare it against the given key. Since only you know the
> >>> SECRET_SALT value then nobody should be able to forge the key.
> >>>
> >>> Cheers,
> >>> Rob.
> >>> --
> >>> http://www.interjinn.com
> >>> Application and Templating Framework for PHP
> >>>
> >>
> >>
> >> What about requiring them to sign in the first time to use your service,
> >> and then give them a unique id which i tied to their details. You could
> >> then get them to pass across this id in the url. You could link their
> >> account maybe to some sorts of limits with regards to what they can
> >> access maybe?
> >
> > Presumably they ARE logged in when you create this URL for them... otherwise
> > someone else could generate it :)
> >
> > Cheers,
> > Rob.
> > --
> > http://www.interjinn.com
> > Application and Templating Framework for PHP
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
>
> I think Google does both the referrer check coupled with an id passed in
> the URL. At least, this is what it did the last time I embedded one of their
> maps.
>
>
>   Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux