Security in PHP

Question

I've written some PHP scripts to do some server-side work on a headless linux server machine on a LAN. For example, I have http://ipadress/php/operations.php?operation=registerUser&uName=X&uAlias=Y. Now, I want to secure my operations script so that; not everyone on LAN can call it and/or run it but; only the ones that ... have a pre-shared key...? This is the point I'm stuck at, requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution. What is/are a more secure way(s) of achieving client-limitation on php scripts?

(I'm thinking of maybe requiring a crypted key file from client when starting the session, and denying access to everybody who havent started a scure session...? That's just me theoratically thinking, have no idea where to start to do it in php.)

edit: I clealrly remember writing "requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution." at my original post, so please kindly stop answering with this same thing over and over again.

edit2: to clear things up: the operations.php is called by a program on client machines on same LAN. I dont want any non-client or stranger machine to use operations.php and dont want anyone to be able to access it through browser. I require some kind of security/authentication method to prevent that. I'm not looking for login forms or simple HttpAuths... Also, I cant just simply put limitations over IP adresses because; it's just not practical and kinda worse than hard coded non crypted passwords...

Answer 1

You could add a "?adminpassword=YOURPASSHERE" or make a admin panel.

Answer 2

It seems to me that you are asking a general question about authentication and authorization for web pages.

There are, of course, many different ways to achieve this. You can setup a session based authentication system that requires the user to enter a valid username/password before accessing the page/script. This could be as simple as a login form that is presented when the user tries to access the page unless they are authenticated. You can then use PHP's built-in session management to persist the authentication across pages.

Alternatively, you could do authentication at the web server level, for example in Apache, through HTTP auth.

Answer 3

The most simple way I can think of:

<?php

if ($_REQUEST['key'] == '38lkjsdIEjrkd' && $_SERVER['REMOTE_ADDR'] == 192.168.1.20) {

// load your web page

} else {

// show login or message about authentication

}

I hope that helps.

Answer 4

This handy website has an example of how they setup security: http://thedailywtf.com/Articles/Starring-The-Admin.aspx

Hope it helps...

Answer 5

I second jonstjohn's opinion on HTTP authentication through creating a .htaccess (to allow only certain addresses to access the script) and .htpasswd (to define users who have access). However, this is true if you only need a quick solution for a few scripts.

If there are more scripts that require limited access, the best solution would be to create a class to take care of user logging and keep track of user session.

Generally speaking, embedding passwords and magic numbers in scripts is considered to be a bad coding style. Not to mention that those hard-coded "if"s are really hard to maintain.

Answer 6

Depends on the level of security you require. Basic Http Auth is simple to set up. See the manual.

Answer 7

If you're using Apache with mod_ssl, it can force clients to authenticate using certificates that are signed by a specific certificate authority.

In theory, you could create just three certificates: Your signing certificate, your server's certificate, and one certificate to distribute to the clients.

This is generally considered a bad idea, though. It's usually better to distribute a separate certificate to each client.