Reputation: 9365
How to check if a request if coming from the same server or different server?
How can I check whether a request being received is sent from the same server??
Say, I've my domain at www.domain.com. Now I've php processing files which will process forms hosted through this domain. This processes will be executed only if the requests are sent from within the domain ie. www.domain.com and any other requests sent from other domains will be discarded.
Upvotes: 38
Views: 64458
Answers (3)
Reputation: 747
this will check if there is a referer, then it will compare it with current domain, if different then it is from outside referer
if ((isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']))) {
if (strtolower(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) != strtolower($_SERVER['HTTP_HOST'])) {
// referer not from the same domain
}
}
Upvotes: 18
Reputation: 401002
Basically : you cannot.
With the HTTP protocol, each request is independent from the others.
A first idea would be to check the Referer HTTP header, but note that :
- It can be faked (it's sent by the browser)
- It is not always present.
So : not a reliable solution.
A possible, and far better than the Referer idea, solution could be to use a nonce :
- When displaying the form, put a hidden input field in it, containing a random value
- At the same time, store that random value into the session that correspond to the user.
- When the form is submitted, check that the hidden field has the same value as the one that's stored in session.
If those two values are not the same, refuse to use the submitted data.
Note : this idea is often used to help fight against CSRF -- and integrated in the "Form" component of some Frameworks (Zend Framework, for instance).
Upvotes: 102
Reputation: 2807
I know this is an old thread, but some one else can probably find it relevant.
The answer is: Yes you can. But it depends if your Apache/nginx server is set to populate the $_SERVER variable with the required information. Most the server are, so probably you can use this approach.
What you need to do is to extract the HTTP_REFERER from the $_SERVER variable and compare with your domain.
<?php
function requestedByTheSameDomain() {
$myDomain = $_SERVER['SCRIPT_URI'];
$requestsSource = $_SERVER['HTTP_REFERER'];
return parse_url($myDomain, PHP_URL_HOST) === parse_url($requestsSource, PHP_URL_HOST);
}
Upvotes: 9
Related Questions
- How to check if my PHP script is being called from my own domain/server?
- PHP - Detect the incoming url requesting php page from another source/url
- PHP - Ensure GET request is from specific domain
- How to check request come from internal server
- how to verify the requesting server in php?
- Best way to detect if request came from a different domain or a sub domain
- Creating a PHP API: Checking from which server the API Request comes from
- Verify What Server Sends HTTP Request
- How to detect a Web server and localserver?
- Using PHP, how can I tell if a request originates on the hosting server?