jack007 Posted July 10, 2012 Share Posted July 10, 2012 I have given a task as below: 1-- when anyone open my website abc.com it shud be redirected to another domain(xyz.com). 2-- on xyz.com user will enter his username/password which is for this xyz.com (please note username/password is of xyz.com) and after successful authentication the user will be redirected to my website homepage again. this will be domain by xyz.com 3-- now my task is to check if my domain homepage is called from xyz.com successful authentication. 4-- if user goes to any other page on my abc.com website he should not go again to xyz.com for authentication as he has already authenticated... I guess this will be done via cookie. some sample code will help a alot. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/ Share on other sites More sharing options...
xyph Posted July 10, 2012 Share Posted July 10, 2012 Have you tried anything? Cookies don't work cross-domain. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360573 Share on other sites More sharing options...
jack007 Posted July 10, 2012 Author Share Posted July 10, 2012 Have you tried anything? Cookies don't work cross-domain. i will set cookies only when i know the page ia redirected from xyz.com My main concern is how to check if my abc.com is accessed via xyz.com or not HTTP_REFERRER Will help or not? Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360578 Share on other sites More sharing options...
xyph Posted July 10, 2012 Share Posted July 10, 2012 HTTP_REFERRER is defined by the client, therefore it can be faked, or not exist at all. You could use two-way encryption to communicate from server-a to server-b and validate information, but that should be entirely server-side. Why, exactly, do you need to authorize against information stored on an outside server? Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360582 Share on other sites More sharing options...
jack007 Posted July 10, 2012 Author Share Posted July 10, 2012 HTTP_REFERRER is defined by the client, therefore it can be faked, or not exist at all. You could use two-way encryption to communicate from server-a to server-b and validate information, but that should be entirely server-side. Why, exactly, do you need to authorize against information stored on an outside server? my website is one of my community website. Xyz.com website is my community main website where the user database exists. The xyz.com will authenticate and will redirect to abc.com thts it. can u provide sample code plz ? Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360589 Share on other sites More sharing options...
xyph Posted July 10, 2012 Share Posted July 10, 2012 Why aren't the two sites sharing access to the user database? I'll provide code after you've attempted the solution yourself. Regardless, this is more of an application design issue than it is a direct PHP one. If you want it done for you, you're more than welcome to post in the Freelance forum. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360601 Share on other sites More sharing options...
jack007 Posted July 11, 2012 Author Share Posted July 11, 2012 Why aren't the two sites sharing access to the user database? I'll provide code after you've attempted the solution yourself. Regardless, this is more of an application design issue than it is a direct PHP one. If you want it done for you, you're more than welcome to post in the Freelance forum. I dont have any control over xyz.com.. when user is redirected to my domain abc.com I just need to check that did he comes from xyz.com or not... Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360713 Share on other sites More sharing options...
xyph Posted July 11, 2012 Share Posted July 11, 2012 There's no way to be sure of this. You can check the referrer, but again, this can be faked or might not exist at all. It's not a required header. http://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360779 Share on other sites More sharing options...
ignace Posted July 12, 2012 Share Posted July 12, 2012 Let's just assume for a moment the referer would ALWAYS be available. You can not use it to authenticate users on your website, doing so will compromise your website by design. If xyz.com does not support OAuth then you can't use authenticated users on xyz.com to be also authenticated on abc.com. And trying to use anything else then OAuth (or something like it) will result in compromising your website. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1360999 Share on other sites More sharing options...
hakimserwa Posted July 12, 2012 Share Posted July 12, 2012 set values(yes) on the url to abc.com from xyz.com and hash them out. you can use any hashing methods availble. then make use of the get method. lets say on a succefull login on xyz.com, you have a redirect that adds a values "yes" on the link to abc.com like this headers("location : abc.com?comfirm=yes);. yes should hashed to an human readable value lets say its hashe to" hffgdfghdfgfsgfgfsfshgsfgf" then it will look like this headers("location : abc.com?comfirm=hffgdfghdfgfsgfgfsfshgsfgf) then on abc.com use the if statement to varify weather the get is set of comfirm and it is equal to the hashed value. it will work but with alot of security holes. rather use one database for both. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1361020 Share on other sites More sharing options...
xyph Posted July 12, 2012 Share Posted July 12, 2012 set values(yes) on the url to abc.com from xyz.com and hash them out. you can use any hashing methods availble. then make use of the get method. lets say on a succefull login on xyz.com, you have a redirect that adds a values "yes" on the link to abc.com like this headers("location : abc.com?comfirm=yes);. yes should hashed to an human readable value lets say its hashe to" hffgdfghdfgfsgfgfsfshgsfgf" then it will look like this headers("location : abc.com?comfirm=hffgdfghdfgfsgfgfsfshgsfgf) then on abc.com use the if statement to varify weather the get is set of comfirm and it is equal to the hashed value. it will work but with alot of security holes. rather use one database for both. If there's a lot of security holes, it won't exactly work. Since he has no control over xyz.com, it can't even be implemented. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1361126 Share on other sites More sharing options...
hakimserwa Posted July 15, 2012 Share Posted July 15, 2012 he said he has control over both sites. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1361619 Share on other sites More sharing options...
ignace Posted July 15, 2012 Share Posted July 15, 2012 I dont have any control over xyz.com.. Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1361622 Share on other sites More sharing options...
hakimserwa Posted July 23, 2012 Share Posted July 23, 2012 then its imposible Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1363838 Share on other sites More sharing options...
Jessica Posted July 23, 2012 Share Posted July 23, 2012 SAML Quote Link to comment https://forums.phpfreaks.com/topic/265476-how-to-check-if-a-page-has-been-only-called-from-a-specific-domain/#findComment-1363852 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.