0

I have separate servers for my projects, and I would like to ask for stuff across all of them. I found that I had to use either PHP: file_get_contents or cURL, but then here is my question. Is there a way for my servers to verify which server can ask them execute stuff?

For example I use this script:

 function is_ajax() {

     // BOOLEAN return if AJAX
     return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';

 }

to check wether or not the request is AJAX based.

I will probably have access to each servers IP address, if there is a way to use those.

I can tell that one of the things I want to execute is starting a session on SERVER B, after SERVER A has verified some informations. So to prevent other servers and scripts to execute without permission I want a way for my SERVER B to verify that it actually is SERVER A who's asking.

EDIT: I am creating a session on SERVER A using a session class that saves the data encrypted in an SQL database.

Also by using session cookie parameters

     session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly
     );

And even though the servers are different, they share same domain name but are separated in sub domains across the servers, so maybe a way would be to let SERVER B see the session at SERVER A and then create a similar session?

Corfitz.
  • 1,864
  • 3
  • 31
  • 53
  • 1
    Can't you just submit some kind shared secret along with the request, like a long random string as HTTP parameters? – complex857 Feb 25 '13 at 14:26
  • @complex857 I think that would be possible to crack... – Corfitz. Feb 25 '13 at 14:28
  • 1
    Well, of course, but as long as your communication channel is not plain text, and your code is not public (could be configuration parameter coming from environment variable so it wont be commited to source control) it should be fine. If you don't want it to show up in server logs you can use HTTP POST. Depends on what level of security is your looking for. – complex857 Feb 25 '13 at 14:29
  • @PhilipJensBramsted: Also complex857's suggestion while not a super high level of security is definitely more secure than relying on `$_SERVER` data. Perhaps a combination of the 2... and as he said it all depends on what level of security you need. – prodigitalson Feb 25 '13 at 14:37
  • I am not that paranoid, but I am a bit perfectionistic, and I have been working on making everything else as secure as possible. Check edit. Maybe it will give other possibilities. – Corfitz. Feb 25 '13 at 14:44

3 Answers3

1

If you have sessions stored in a centralized data store like memcached, then your servers would share the same sessions if they are accessed from the same domain. PHP supports storing sessions in memcached, so you just need to configure it (session.save_handler) to do so. Then all your session code would still work as is, but your sessions would be shared across servers.

Brent Baisley
  • 12,641
  • 2
  • 26
  • 39
  • I assume that I would need to store it in both `memcach` and database.. Would this still be safe enough then? – Corfitz. Feb 25 '13 at 15:08
  • by the way.. didn't tell before, but the servers only share the same domain name.. there are subdomains spread across the different servers.. – Corfitz. Feb 25 '13 at 15:13
  • No, sessions would only be stored in memcache. Think of memcache as a database in memory. You could have sessions set on the base domain using session_set_cookie_params. Then you would have a single sign-on. That may not be what is wanted. – Brent Baisley Feb 26 '13 at 02:46
  • I talk to my colleagues and the server administrator. He agreed with you, and that was basically also the idea, but the thing is that the two servers can't see each other and are not a part of a local network. It is two separate virtual servers on hostgator.. – Corfitz. Feb 26 '13 at 08:57
0

I settle with the ?SOMEPASSWORDVARIABLE=LONGSPASSWORDWITHRANDOMCHARS as @complex857 suggested.

as file_get_contents is run server side, it's not very easy to guess the file name file the variable and the password, if the actual request could be monitored by monitoring your traffic from your server but the likelihood is very small

Iesus Sonesson
  • 854
  • 6
  • 12
  • Okay now.. Please verify if this is secure enough.. I have builded an encryption class, that encrypts an `array()` containing the variables from which I want to create a session. Before I encrypt the `array()` I insert an already encrypted password - which gives me an encrypted version of an encrypted password. Next I send this in a the URL query string to the next server which decrypts the array using a similar `salt` localized in a private variable stored outside of web root. it uses another `salt` stored the same way to decrypt the password in the `array()` ... – Corfitz. Feb 25 '13 at 17:09
  • ... continued. This password will be compared to a password localized as a private variable in another directory outside webroot, and if these passwords match, the server will create a session with the datas from the decrypted array. – Corfitz. Feb 25 '13 at 17:10
  • @PhilipJensBramsted sounds secure enough to me :) – Iesus Sonesson Feb 26 '13 at 11:24
  • and to top it, I send the request by cURL as $_POST – Corfitz. Feb 26 '13 at 11:59
-1

Use a [crossdomain.xml][1] file to specify which domains are able to make requests. Requests from other domains will be denied.

user2107730
  • 1
  • 1
    I think that only applies to Adobe Flash files. Even if that's not the case, the requestor would have to be coded to honor the crossdomain.xml file - it doesn't really implement any sort of security at the server level. – WWW Feb 25 '13 at 15:27