On Sat, Feb 13, 2010 at 7:33 AM, Ryan Sun <ryansun81@xxxxxxxxx> wrote: > In that case, referer is for authentication, and id is for authorization, I > think > > On Fri, Feb 12, 2010 at 6:23 PM, Ashley Sheridan > <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > > > On Fri, 2010-02-12 at 18:25 -0500, Ryan Sun wrote: > > > > authenticate by remote domain name or remote ip > > > > $_SERVER['HTTP_REFERER'] > > > > then your clients will not have to put their username/password in clear > texthttp://www.mydomain.com?h=300&w=250 > > and you will just check if you have their domain on your list > > > > I'm not sure if there is better one but > > " 'HTTP_REFERER' > > The address of the page (if any) which referred the user agent to > > the current page. This is set by the user agent. Not all user agents > > will set this, and some provide the ability to modify HTTP_REFERER as > > a feature. In short, it cannot really be trusted. " > > > > > > On Fri, Feb 12, 2010 at 4:26 PM, Robert Cummings <robert@xxxxxxxxxxxxx> > wrote: > > > Ashley Sheridan wrote: > > >> > > >> On Fri, 2010-02-12 at 16:12 -0500, Robert Cummings wrote: > > >> > > >>> John Allsopp wrote: > > >>>> > > >>>> Hi everyone > > >>>> > > >>>> There may be blinding bits of total ignorance in this so don't > ignore > > >>>> the obvious. > > >>>> > > >>>> This is a security question, but a sentence of background: I'm > writing > > >>>> software for a mapping/location website and I want to be able to > provide > > >>>> something others can plug into their website that would display > their map. > > >>>> > > >>>> So I'm providing a URL like > > >>>> http://www.mydomain.com?h=300&w=250&username=name&password=password > > >>>> > > >>>> The idea is they can define their own height and width and it plugs > in > > >>>> as an iframe. > > >>>> > > >>>> That takes the username and password and throws it over web services > to > > >>>> get back the data from which we can create the map. > > >>>> > > >>>> My question (and it might be the wrong question) is how can I not > give > > >>>> away the password to all and sundry yet still provide a > self-contained URL? > How about RESTful like checking ? It is much like what Rob said already. but join all params by order and md5 it altogether Regards, Eric, > > >>> > > >>> MD5() (or SHA()) hash the information and supply that along with the > > >>> settings. Then you know it was generated by your site. So you can do > the > > >>> following: > > >>> > > >>> <?php > > >>> > > >>> $height = 300; > > >>> $width = 250; > > >>> $username = 'username'; > > >>> $key = md5( "SECRET_SALT-$heigh-$width-$username" ); > > >>> > > >>> $url = > > >>> " > http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key";; > > >>> > > >>> ?> > > >>> > > >>> Then when you get this URL via the iframe, you re-compute the > expected > > >>> key and then compare it against the given key. Since only you know > the > > >>> SECRET_SALT value then nobody should be able to forge the key. > > >>> > > >>> Cheers, > > >>> Rob. > > >>> -- > > >>> http://www.interjinn.com > > >>> Application and Templating Framework for PHP > > >>> > > >> > > >> > > >> What about requiring them to sign in the first time to use your > service, > > >> and then give them a unique id which i tied to their details. You > could > > >> then get them to pass across this id in the url. You could link their > > >> account maybe to some sorts of limits with regards to what they can > > >> access maybe? > > > > > > Presumably they ARE logged in when you create this URL for them... > otherwise > > > someone else could generate it :) > > > > > > Cheers, > > > Rob. > > > -- > > > http://www.interjinn.com > > > Application and Templating Framework for PHP > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > I think Google does both the referrer check coupled with an id passed in > > the URL. At least, this is what it did the last time I embedded one of > their > > maps. > > > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > >
