TechQA.

How to make my PHP client be the only one that can get data from my PHP server

1.6k views Asked by At

Hello I have this simple code:

Client

<?php

function get_url($request_url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $request_url);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

$request_url = 'http://localhost:8080/vb/dashboard/Marketing_dashboard/vb_server.php?function=somefunction';
$response = get_url($request_url);

print_r($response);

Server

if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
{
    echo somefunction();
}
function somefunction()
{
    return "this is the output of the server";
}

Now I need to add security so that only my client is able to get the data. I thought of a pair keys so I send some hash encripted with the clients private key and the decode it with the public key on the server. But I dont lnow how to implement this. I don't know how to get the keys and I don't know how to do the code.

I'm open to options. How can I make my client the only one able to get the data from that server?

php security curl spoofing key-pair
Original Q&A
2

There are 2 answers

0
Chris Rasco On BEST ANSWER

For starters, make the client connect to an https endpoint so it's encrypted. Next, you could pass in a token via an HTTP header and check it on the client side.

The Rackspace APIs use the following header:

X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

Then you can grab the headers, validate the token is correct. If so, execute the function. If not, return a blank page or something else.

You'll set your header like this:

curl_setopt($c, CURLOPT_HTTPHEADER, array('X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf'));

Check it like:

$headers = getallheaders();
if($headers['X-Auth-Token'] == 'asdflkjasdflkjasdflkjsadflkjasdf')
{
  if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
  {
      echo somefunction();
  }
}
else
{
  echo "BAD TOKEN!";
}

function somefunction()
{
    return "this is the output of the server";
}

Tested output:

root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4   libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: stuff

BAD TOKEN!


root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

DO STUFF
0
Russ Huguley On

You can setup a client certificate as well so that it uses the certificate that your client presents to do the authentication. It may be a bit of overkill depending on what you are trying to do. See the section "Client Authentication and Access Control"

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

Related Questions in PHP

Related Questions in SECURITY

Related Questions in CURL

Related Questions in SPOOFING

Related Questions in KEY-PAIR

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions