php - Allow login to website only if request comes from another specific website -

-

i have php/mysql website (website 1) has login system asks pin code (just long numeric string). user has 2 ways of login in code:

  1. going website 1 login page , enter code in typical login form
  2. clicking in website 2 on link carries pin code value. link has format http://myurl.com/login.php?pin=123456789. calls function receives pin parameter , processes login. website 2 located in different domain/server website 1.

until here works fine.

now come's question. know if when using second method described above, if it's possible allow login (assuming pin correct) only if link has been clicked in specific website.

the way works now, link use login website 1. want prevent that, want allow happen if link has been clicked win website 2.

the idea "detect" referring website in login function, , allow if matches url (or other unique identifier) of website 2.

if using "plain" link not allow wouldn't problem, i'm flexible way use this, in end need meant click users in website 2.

edit

i think it's add since of comments/responses talk security of doing (which great of course). main reason "force" users visit website 2 before going website 1. can't enter url in browser , log website 1, want able use link if they're clicking website 2. explain because security not huge factor here, if few savy users can around whatever method implement it's not big deal, it's more important method simple possible implement in website 2 (since don't run website , need ask people there whatever needed).

i think you're looking variation of single sign on. technique in authentication in 1 site recognised transparently in another. here how works in case.

normally have link in site2.com this:

http://site1.com/login.php?pin=123456789

however, site1.com cannot tell referrer site has come from, since it can trivially faked. of course, may not matter use case, if want simple level of security. if want better, read on!

you can use hashing system , shared secret, create can have come 1 source. both sites have same shared secret, stored in file. we'll call $sharedsecret. algorithm goes this:

$hash = hashfunction($pin . $sharedsecret);

then can in site2.com:

<a     href="http://site1.com/login.php?pin=<?php echo (int) $pin ?>&amp;hash=<?php echo $hash ?>"     alt="authenticated link" >

when site1.com sees it, can pin straight away, repeat algorithm, , check hash did come site2.com. if have several referring sites, site1.com should store separate secret of them, , can securely check referrer see 1 should load.

the shared secret should substantial enough cannot guessed; tend go around 40-60 characters.

however, remaining flaw in plan visit site2.com , steal link them, , still work, providing willing fake referrer every time wanted access. may therefore useful add timestamp algorithm too:

// time rounded nearest 500 seconds, account // out of sync clocks. adjust depending on how long want links // remain active $time = floor(time() / 500) * 500; $hash = hashfunction($pin . $sharedsecret . $time);

then on site1.com should compute 2 hashes:

  • one floor(time() / 500) * 500
  • one floor(time() / 500) * 500 - 500

if supplied hash matches either, allow link unlock content. accounts possibility time went on +/-500 boundary between 1 server , next.

i haven't mentioned specific hashing function here. sha256 should fine, note i'm not cryptographer. if want more security again, may worth checking ensure isn't brute-forcing system flooding system guesses - though on internet hardly worth trying.


Comments

Post a Comment

Popular posts from this blog

python - mat is not a numerical tuple : openCV error -

-
i have write down code showing error ma not getting it: please help: showing mat not numerical tuple: import cv import cv2 capture = cv2.videocapture("j.3gp") while(1): _, frame1 = capture.read() grayimage1 = cv2.cvtcolor(frame1, cv2.color_bgr2gray) _, frame2 = capture.read() grayimage2 = cv2.cvtcolor(frame2, cv2.color_bgr2gray) differenceimage = cv2.absdiff(grayimage1,grayimage2) thresholdimage = cv2.threshold(differenceimage,25,255,cv2.thresh_binary) cv2.imshow("difference image", differenceimage) cv2.imshow("threshold image", thresholdimage) cv2.imshow("image", frame1) k = cv2.waitkey(30) & 0xff error arising : ----------------------------------------------------------------------------------------- traceback (most recent call last): file "desk.py", line 15, in <module> cv2.imshow("threshold image", thresholdimage) typeerror: mat not numerical tuple
Read more

c# - MSAA finds controls UI Automation doesn't -

-
i'm working on automating windows application. i'm using teststack white framework. i've hit problem. program has 'window' object cannot see inside of. white shows no controls inside of it. inspect.exe shows no controls inside of either when running in ui automation mode. if switch inspect msaa see controls inside fine. there anyway me use msaa c# handle on these controls? if can identify msaa functions need, can use p/invoke call them c#. here's example article doing msaa: http://www.codeproject.com/articles/38906/ui-automation-using-microsoft-active-accessibility also, pinvoke.net can used identify iaccessible (msaa) functions: http://www.pinvoke.net/search.aspx?search=iaccessible&namespace=[all] here's answer along lines: msaa com-based? finally, alternative p/invoke, might able use tlbimp.exe create wrapper assembly oleacc.dll, , access msaa functions through it. i'm not sure if works msaa, it's worth try. as e
Read more

wordpress - .htaccess: RewriteRule: bad flag delimiters -

-
pulling hair out on one. have following .htaccess file custom redirects in addition wordpress's default settings. when tested on local wamp server worked fine after moving production i'm not getting rewriterule: bad flag delimiters error in server log , after while site goes down internal server error any appreciated. in advance! <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^rockford_weddings___welcome\.html$ /wedding/ [r=301,l] rewriterule ^blog/?$ /journal/ [r=301,l] rewriterule ^blog/(.*)$ /$1 [r=301,l] rewriterule ^portraitinvestment/?$ /portraitinvestment\.pdf [r=301,l] rewriterule ^weddinginvestment/?$ /weddinginvestment\.pdf [r=301,l] rewriterule ^holidaycards2014/?$ /holidaycards2014\.pdf [r=301,l] </ifmodule> # begin wordpress <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^index\.php$ - [l] rewritecond %{request_filename} !-f rewritecond %{request_filename} !-d rewriterule . /index.php [l] </
Read more