Using PHP, how can I tell if a request originates on the hosting server?

Question

Is there a reliable way, using PHP, to determine if a request comes from the same host that the PHP script is hosted on? In other words, is there a way to determine if the client and server computer are the same?

Answer 1

This is the sort of question where I think we should step back and ask why are you doing what you're doing?

Determining if the request came from the local machine by your stated method has problems, not hte least of which is virtual interfaces and multi-homing (meaning a machine can have many IP addresses and a server may be bound to only some of them).

If you're going to use a request coming locally as some kind of check for certain privileges, my advice is don't. yes someone can spoof IP address (but they won't get a reply) but that may still be sufficient.

If what you're doing is creating some kind of admin page or site then my advice is bind that to localhost (127.0.0.1) and problem solved (pretty much).

Also if the client and server are on the same machine and you're not doing some kind of special page or site then why do they need to communicate via the Website? You could just run scripts locally instead.

Basically it depends on the situation.

Answer 2

Hmm, it sounds like a token mechanism that is commonly used to prevent CSRF (Cross-Site Request Forgery) might be a solution to your problem. This will allow you to be sure the request is coming from a source by comparing tokens, etc. Here are a couple links with more implementation details: here and here

Answer 3

You could define a secret token that only the server knows of that you can send together with the request.