Jump to content

How to check if a page has been only called from a specific domain


Recommended Posts

I have given a task as below:

 

1-- when anyone open my website abc.com it shud be redirected to another domain(xyz.com).

 

2-- on xyz.com user will enter his username/password which is for this xyz.com (please note username/password is of xyz.com) and after successful authentication the user will be redirected to my website homepage again. this will be domain by xyz.com

 

3-- now my task is to check if my domain homepage is called from xyz.com successful authentication.

 

4-- if user goes to any other page on my abc.com website he should not go again to xyz.com for authentication as he has already authenticated... I guess this will be done via cookie.

 

some sample code will help a alot.

 

Have you tried anything?

 

Cookies don't work cross-domain.

 

i will set cookies only when i know the page ia redirected from xyz.com

 

My main concern is how to check if my abc.com is accessed via xyz.com or not

 

HTTP_REFERRER Will help or not?

HTTP_REFERRER is defined by the client, therefore it can be faked, or not exist at all.

 

You could use two-way encryption to communicate from server-a to server-b and validate information, but that should be entirely server-side.

 

Why, exactly, do you need to authorize against information stored on an outside server?

HTTP_REFERRER is defined by the client, therefore it can be faked, or not exist at all.

 

You could use two-way encryption to communicate from server-a to server-b and validate information, but that should be entirely server-side.

 

Why, exactly, do you need to authorize against information stored on an outside server?

 

my website is one of my community website. Xyz.com website is my community main website where the user database exists. The xyz.com will authenticate and will redirect to abc.com thts it.

 

can u provide sample code plz ?

Why aren't the two sites sharing access to the user database?

 

I'll provide code after you've attempted the solution yourself. Regardless, this is more of an application design issue than it is a direct PHP one.

 

If you want it done for you, you're more than welcome to post in the Freelance forum.

Why aren't the two sites sharing access to the user database?

 

I'll provide code after you've attempted the solution yourself. Regardless, this is more of an application design issue than it is a direct PHP one.

 

If you want it done for you, you're more than welcome to post in the Freelance forum.

 

I dont have any control over xyz.com.. when user is redirected to my domain abc.com I just need to check that did he comes from xyz.com or not...

There's no way to be sure of this. You can check the referrer, but again, this can be faked or might not exist at all. It's not a required header.

 

http://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding

Let's just assume for a moment the referer would ALWAYS be available. You can not use it to authenticate users on your website, doing so will compromise your website by design.

 

If xyz.com does not support OAuth then you can't use authenticated users on xyz.com to be also authenticated on abc.com. And trying to use anything else then OAuth (or something like it) will result in compromising your website.

set values(yes) on the url to abc.com from xyz.com and hash them out. you can use any hashing methods availble. then make use of the get method.

 

lets say on a succefull login on xyz.com, you have a redirect that adds a values "yes" on the link to abc.com like this headers("location : abc.com?comfirm=yes);. yes should hashed to an human readable value lets say its hashe to" hffgdfghdfgfsgfgfsfshgsfgf" then it will look like this

headers("location : abc.com?comfirm=hffgdfghdfgfsgfgfsfshgsfgf)

 

then on abc.com use the if statement to varify weather the get is set of comfirm and it is equal to the hashed value.

 

it will work but with alot of security holes. rather use one database for both.

set values(yes) on the url to abc.com from xyz.com and hash them out. you can use any hashing methods availble. then make use of the get method.

 

lets say on a succefull login on xyz.com, you have a redirect that adds a values "yes" on the link to abc.com like this headers("location : abc.com?comfirm=yes);. yes should hashed to an human readable value lets say its hashe to" hffgdfghdfgfsgfgfsfshgsfgf" then it will look like this

headers("location : abc.com?comfirm=hffgdfghdfgfsgfgfsfshgsfgf)

 

then on abc.com use the if statement to varify weather the get is set of comfirm and it is equal to the hashed value.

 

it will work but with alot of security holes. rather use one database for both.

 

If there's a lot of security holes, it won't exactly work. Since he has no control over xyz.com, it can't even be implemented.

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.