CODEWITHSUNDEEP
php
visevo
visevo

Reputation: 861

PHP restrict page requests to a specific server?

Basically my script streams an mp3 file that's outside of web root. My script is called from another website via inside an audio tag, if that makes sense. Here's how it looks:

Webiste #2:

<audio src="http://website#1.com/getMp3?file=somehashedvalue"></audio>

The idea is that I want to only allow website #2 to get this stream, meaning if you were to go directly to http://website#1.com/getMp3?file=somehashedvalue you would get a 404.

In my getMp3.php class (hosted on website #1), this does NOT work:

$whitelist = $this->getWhitelist();
$ip = $_SERVER['REMOTE_ADDR'];

if( !in_array( $ip, $whitelist ) {
    header('HTTP/1.0 404 Not Found');
    exit;
} else {
    //continue
}

When looking at the logs, the request on Website #1 coming from Website #2 is actually the client's IP Address.

Any ideas as to how I can get the IP address of Website #2?

Upvotes: 0

Views: 48

Answers (1)

developerwjk
developerwjk

Reputation: 8659

You can try checking the referrer ($_SERVER['HTTP_REFERER']) for the domain name of the other site, but it can be spoofed. And some users may have their browsers set to never send a referrer at all. It also may depend on the browser whether it would even try to send a referrer when following the link in an audio tag or not. But if you're leaving it this open (allowing another site to link a file in an audio tag) then some unauthorized people will end up downloading the file. That is certain.

The reason checking $_SERVER['REMOTE_ADDR'] doesn't work is the <audio> tag is parsed by the browser. It is not really the other website requesting the file; its the user's browser.

Upvotes: 1

Related Questions