views:

119

answers:

7

I've written some PHP scripts to do some server-side work on a headless linux server machine on a LAN. For example, I have http://ipadress/php/operations.php?operation=registerUser&uName=X&uAlias=Y. Now, I want to secure my operations script so that; not everyone on LAN can call it and/or run it but; only the ones that ... have a pre-shared key...? This is the point I'm stuck at, requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution. What is/are a more secure way(s) of achieving client-limitation on php scripts?

(I'm thinking of maybe requiring a crypted key file from client when starting the session, and denying access to everybody who havent started a scure session...? That's just me theoratically thinking, have no idea where to start to do it in php.)

edit: I clealrly remember writing "requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution." at my original post, so please kindly stop answering with this same thing over and over again.

edit2: to clear things up: the operations.php is called by a program on client machines on same LAN. I dont want any non-client or stranger machine to use operations.php and dont want anyone to be able to access it through browser. I require some kind of security/authentication method to prevent that. I'm not looking for login forms or simple HttpAuths... Also, I cant just simply put limitations over IP adresses because; it's just not practical and kinda worse than hard coded non crypted passwords...

A: 

You could add a "?adminpassword=YOURPASSHERE" or make a admin panel.

M28
hah, while we are at it, we should do security by obfuscation; "?uselessinfohere=YOURPASSHERE"
Daniel T. Magnusson
+1  A: 

It seems to me that you are asking a general question about authentication and authorization for web pages.

There are, of course, many different ways to achieve this. You can setup a session based authentication system that requires the user to enter a valid username/password before accessing the page/script. This could be as simple as a login form that is presented when the user tries to access the page unless they are authenticated. You can then use PHP's built-in session management to persist the authentication across pages.

Alternatively, you could do authentication at the web server level, for example in Apache, through HTTP auth.

jonstjohn
+3  A: 

The most simple way I can think of:

<?php

if ($_REQUEST['key'] == '38lkjsdIEjrkd' && $_SERVER['REMOTE_ADDR'] == 192.168.1.20) {

// load your web page

} else {

// show login or message about authentication

}

I hope that helps.

Jeremy Morgan
A: 

This handy website has an example of how they setup security: http://thedailywtf.com/Articles/Starring-The-Admin.aspx

Hope it helps...

Bryan
Nice one :P (...filler)
jensgram
A: 

I second jonstjohn's opinion on HTTP authentication through creating a .htaccess (to allow only certain addresses to access the script) and .htpasswd (to define users who have access). However, this is true if you only need a quick solution for a few scripts.

If there are more scripts that require limited access, the best solution would be to create a class to take care of user logging and keep track of user session.

Generally speaking, embedding passwords and magic numbers in scripts is considered to be a bad coding style. Not to mention that those hard-coded "if"s are really hard to maintain.

bth
A: 

Depends on the level of security you require. Basic Http Auth is simple to set up. See the manual.

troelskn
+1  A: 

If you're using Apache with mod_ssl, it can force clients to authenticate using certificates that are signed by a specific certificate authority.

In theory, you could create just three certificates: Your signing certificate, your server's certificate, and one certificate to distribute to the clients.

This is generally considered a bad idea, though. It's usually better to distribute a separate certificate to each client.

R. Bemrose
This is the best idea so far. Generating certificates for every client should not be a problem. Can I do something like this in IIS7 on Windows Host (and lighttpd on Linux host) ?
kramer
I'm not really familiar with IIS7, but this page might help: http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/
R. Bemrose