jjshell — 2012-02-01T12:03:34-05:00 — #1
ExternalSite sends a request to my site. Is there a way to verify the request source, and make sure it's coming from ExternalSite? I don't have access to ExternalSite server. I know that $_SERVER isn't of any help in that case, so I guess it's a more complicated scenario that awaits me.
susen — 2012-02-01T12:44:40-05:00 — #2
You can use $SERVER['HTTPREFERER'] to identify the referral link from where the request is coming.
jjshell — 2012-02-01T13:01:47-05:00 — #3
It can't be trusted, can it?
susen — 2012-02-01T22:22:52-05:00 — #4
Yes, I agree with you. But I don't know any other reliable method to track viewer's path.
logic_earth — 2012-02-02T04:09:27-05:00 — #5
I assume external site has a set IP address? Just verify the IP address.
As long as the enternal site is doing the request and not in the form of an iframe.
jjshell — 2012-02-02T06:49:53-05:00 — #6
The form is sent from the external site. It could be anyone filling this form and posting it directly to my website. I'm trying to find if, in that scenario, it is possible to know if the form has been filled on ExternalWebsite and sent from it. I guess a token will be necessary.
logic_earth — 2012-02-02T08:10:50-05:00 — #7
You would need a token that is generated for each request that only you and the external site would know how to generate. Otherwise, no there is no way to reliably verify the request was from some form on a paticular site.
jjshell — 2012-02-02T11:49:27-05:00 — #8
How would such a token be generated? I can't understand how two different servers could come up with the same token.
What about a key that both sites would share?
cups — 2012-02-02T13:44:50-05:00 — #9
The shared key would be the salt (php salt) the way you then create the rest of some convoluted key is up to you, its usually done with some other factor such as the date and some esoteric PHP functions.
jjshell — 2012-02-02T15:15:52-05:00 — #10
I would really be interested in knowing more. I must admit that I'm a bit lost and wouldn't know where to start. I don't like to do that, but could ou show me some code?
1) How would you create the salt, share it, store it?
2) How would you create the key, store it, share it?
Why couldn't I send some sort of password using POST? It could be intercepted?