How to make my PHP client be the only one that can get data from my PHP server

StackOverflow https://stackoverflow.com/questions/20410224

Question

Hello I have this simple code:

Client

<?php

function get_url($request_url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $request_url);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

$request_url = 'http://localhost:8080/vb/dashboard/Marketing_dashboard/vb_server.php?function=somefunction';
$response = get_url($request_url);

print_r($response);

Server

if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
{
    echo somefunction();
}
function somefunction()
{
    return "this is the output of the server";
}

Now I need to add security so that only my client is able to get the data. I thought of a pair keys so I send some hash encripted with the clients private key and the decode it with the public key on the server. But I dont lnow how to implement this. I don't know how to get the keys and I don't know how to do the code.

I'm open to options. How can I make my client the only one able to get the data from that server?

Was it helpful?

Solution

For starters, make the client connect to an https endpoint so it's encrypted. Next, you could pass in a token via an HTTP header and check it on the client side.

The Rackspace APIs use the following header:

X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

Then you can grab the headers, validate the token is correct. If so, execute the function. If not, return a blank page or something else.

You'll set your header like this:

curl_setopt($c, CURLOPT_HTTPHEADER, array('X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf'));

Check it like:

$headers = getallheaders();
if($headers['X-Auth-Token'] == 'asdflkjasdflkjasdflkjsadflkjasdf')
{
  if(isset($_GET['function']) && $_GET['function'] == 'somefunction')
  {
      echo somefunction();
  }
}
else
{
  echo "BAD TOKEN!";
}

function somefunction()
{
    return "this is the output of the server";
}

Tested output:

root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4   libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: stuff

BAD TOKEN!


root@app01:/var/www/vhosts/application# curl -s http://localhost/headers.php -H "X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf"

User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: localhost
Accept: */*
X-Auth-Token: asdflkjasdflkjasdflkjsadflkjasdf

DO STUFF

OTHER TIPS

You can setup a client certificate as well so that it uses the certificate that your client presents to do the authentication. It may be a bit of overkill depending on what you are trying to do. See the section "Client Authentication and Access Control"

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top