CODEWITHSUNDEEP
phpsecuritypost
Hormigas
Hormigas

Reputation: 1449

POST request origins

Is there any way by which i could know exactly which server a POST request has originated from ?

I'm trying to implement a method wherein i could check that a specific request has originated from my website, and hence this will help me keep my website secure

Thanks

Upvotes: 7

Views: 5575

Answers (4)

Erlend
Erlend

Reputation: 4416

It sounds like you are trying to implement Cross Site Request Forgery protection, in which you need to make sure the request originated from HTML delivered from your web server. Do not rely on the referer header for this as it is often stripped in firewalls, and can be manipulated.

See OWASP for some good sources on how to implement this kind of protection. Basically it goes like this:

  1. Generate a secure random value and stick it on the user's session

  2. For every HTML form, include this value as a hidden value ()

  3. Whenever a POST request comes back to your server, check that the value from the hidden field, is the same as the one in the user's session. Reject the request if it isn't.

Because the alue is unique per user, an attacker could not simply forge a form with prepopulated values, and trick the user into automatically posting it with javascript. The request would be rejected as the attacker would not know which value to include for the hidden field in his forged form.

Upvotes: 9

Robus
Robus

Reputation: 8259

Take a look at this:
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

Upvotes: 3

pkk
pkk

Reputation: 3691

I think you need to read this:

http://www.cyberciti.biz/faq/how-to-determine-retrieve-visitors-ip-address-use-php-code-programming/

Upvotes: 1

Ignacio Vazquez-Abrams
Ignacio Vazquez-Abrams

Reputation: 798456

You want $_SERVER["REMOTE_ADDR"].

Upvotes: 1

Related Questions