Is there a reliable way, using PHP, to determine if a request comes from the same host that the PHP script is hosted on? In other words, is there a way to determine if the client and server computer are the same?
+4
A:
You could define a secret token that only the server knows of that you can send together with the request.
Gumbo
2009-08-10 16:07:37
+2
A:
Hmm, it sounds like a token mechanism that is commonly used to prevent CSRF (Cross-Site Request Forgery) might be a solution to your problem. This will allow you to be sure the request is coming from a source by comparing tokens, etc. Here are a couple links with more implementation details: here and here
Gailin
2009-08-10 16:09:46
Useful links, thanks.
Travis Beale
2009-08-10 17:11:01
+2
A:
This is the sort of question where I think we should step back and ask why are you doing what you're doing?
Determining if the request came from the local machine by your stated method has problems, not hte least of which is virtual interfaces and multi-homing (meaning a machine can have many IP addresses and a server may be bound to only some of them).
If you're going to use a request coming locally as some kind of check for certain privileges, my advice is don't. yes someone can spoof IP address (but they won't get a reply) but that may still be sufficient.
If what you're doing is creating some kind of admin page or site then my advice is bind that to localhost (127.0.0.1) and problem solved (pretty much).
Also if the client and server are on the same machine and you're not doing some kind of special page or site then why do they need to communicate via the Website? You could just run scripts locally instead.
Basically it depends on the situation.
cletus
2009-08-10 16:11:58
Agree 100% with your last point, I have other scripts that are secured simply by not being accessible from the web at all and are run from the console. It's complicated to explain, but I can't do that in this case.
Travis Beale
2009-08-10 16:21:31