CODEWITHSUNDEEP
phpsecuritycurlspoofingkey-pair
Alejandro
Alejandro

Reputation: 1159

How to make my PHP client be the only one that can get data from my PHP server

Hello I have this simple code:

Client

<?php

function get_url($request_url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $request_url);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

$request_url = 'http://localhost:8080/vb/dashboard/Marketing_dashboard/vb_server.php?function=somefunction';
$response = get_url($request_url);

print_r($response);

Server

if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
{
    echo somefunction();
}
function somefunction()
{
    return "this is the output of the server";
}

Now I need to add security so that only my client is able to get the data. I thought of a pair keys so I send some hash encripted with the clients private key and the decode it with the public key on the server. But I dont lnow how to implement this. I don't know how to get the keys and I don't know how to do the code.

I'm open to options. How can I make my client the only one able to get the data from that server?

Upvotes: 0

Views: 1627

Answers (2)

Chris Rasco
Chris Rasco

Reputation: 2731

For starters, make the client connect to an https endpoint so it's encrypted. Next, you could pass in a token via an HTTP header and check it on the client side.

The Rackspace APIs use the following header:

X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

Then you can grab the headers, validate the token is correct. If so, execute the function. If not, return a blank page or something else.

You'll set your header like this:

curl_setopt($c, CURLOPT_HTTPHEADER, array('X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf'));

Check it like:

$headers = getallheaders();
if($headers['X-Auth-Token'] == 'asdflkjasdflkjasdflkjsadflkjasdf')
{
  if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
  {
      echo somefunction();
  }
}
else
{
  echo "BAD TOKEN!";
}

function somefunction()
{
    return "this is the output of the server";
}

Tested output:

root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4   libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: stuff

BAD TOKEN!


root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

DO STUFF

Upvotes: 2

Russ Huguley
Russ Huguley

Reputation: 856

You can setup a client certificate as well so that it uses the certificate that your client presents to do the authentication. It may be a bit of overkill depending on what you are trying to do. See the section "Client Authentication and Access Control"

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

Upvotes: 0

Related Questions