Is it possible?

mkarabulut

well,I had mentioned about my trouble a few days ago on this forum. This is what I want to and I am not sure that it can be solved with PHP,indeed all ways to solve this are welcome , not only on PHP, also any recommendation including server configuration or anything.Here it is:

I have PHP scripts on server A.
and there is a php script on both server B and C , that reads the script on server A and outputs the output of the script on server A.
But I don't want the script on server B can read it. I want to restrict the access to the script so only permitted servers can read the script and get the information.
I couldn't manage it with php, I thought I could do it with $remote_addr, but proxy servers intruded in and it didn't work properly. Indeed I wasn't sure whether I can rely on $remote_addr,just because I don't exactly know whether it is possible for client to connect with a tricky IP
address ?
I need your opinions and helps. Thanks

Anon

Why not let in only the user with the ip of the valid host only!
Like:
<?php
$valid_host = '127.0.0.1';
if ($_SERVER["REMOTE_ADDR"] != "$valid_host")
{
echo "You are NOT IN!";
exit;
}
echo "You are IN!";
?>

mkarabulut

Indeed it is the same thing, the main thing is to recognize who is reading the file. I tried to make it with IP address. But there can be damned proxy servers on the way, and when I get the IP , it is not sure whether it is the server's or proxy's. And on the other hand I don't know if I should rely on IP for restriction, is there a way to use a false IP for connections ?
and by the way Metin, are you Turk ?

Anon

The best why would be to let the user login with username/password
and if it's a valid user set a session variable!
You can set the expiration time of the session cookie to 2-3 months!
And later just check the for the session variable instead of the ip of the host.

and by the way Metin, are you Turk ?
Yes, I am Turk, but my Turkish is very bad!

mkarabulut

This is not suiting the purpose why I want to use servers communicating each other that visitor won't know anytime. You see ?
Bu arada buralarda Türkleri görmek iyi oluyor,benim de ingilizcem fazla iyi deðil zaten :-)

hankster

Could you try something with headers? Just a thought (maybe not a possible).

mkarabulut

I don't know.Please think about where I can send a header between these codes .
<?
$fop = fopen("http://www.servera.com","r");
echo fread($fop,2000);
?>
At this moment, if this server is permitted, it will be able to echo the content, otherwise not.

Anon

Yeah, but what Metin means is that it's NOT the user that submits the password, but the script. So the password will be contained inside the script (or in another file which the script reads) and it will send it along with the request for the file. So the user doesn't have to submit a password and he/she will never know what happened behind the scenes.

Diego

Anon

Here's an idea off the top of my head - no idea if it's a good one - hasn't been baking long enough :-)

One of the extensions that can be built into PHP is called cURL (see the list of functions in the manual). With it, you can have one server build arbitrarily complex requests to send to another server, and get back results.

My idea is an extension of Metin Arman's.

I need names. I'm going to call the server that wants the file "NEEDY" and the server that is being asked for the file "MINE". Why? I just can, that's all.

Okay, so NEEDY (with cURL installed) sends a request to MINE. The request consists of form POST data containing login request stuff. Notice that there doesn't need to be any communication between NEEDY and MINE before this.

When MINE receives a request, it looks for the login data, and checks it off against its database, to see if it is a valid login. If it is a valid login, it sends back the wanted file. Otherwise it just sends back a blank page or a denial message.

Since this is a form POST and since it doesn't have to be entered by a human, the login data can be quite big and complicated (say, three kilobytes of random ASCII), defeating dictionary-type attacks, and nasty people are reduced to snooping your network connection or breaking into one of the servers.

For added security, you could have MINE send back a countersign that NEEDY has to respond to (with another cURL request) in the right way before MINE will serve up; this will defeat those who just snoop your network conection, because even if they know the initial login request, that doesn't mean they can predict what needs to be sent in response to the countersign (which would be different each time). They'd then be having to either snoop for a very long time and try and discover a pattern, or again break into the server directly.

Now there is just the matter of network snoopers getting MINE's file from the network connection, but there're plenty of opportunities for encryption if you want it.

There y'go. How's that for a half-baked idea?

mkarabulut

Thanks chaps(it seems we will be very good chaps among these trouble dealing processes.)
Diego,Metin,Grumbler and Hank. I have to examine your ideas first, they look very useful,let me a while to try for them.
And unfortunately it seems that I won't be able to solve this damned thing without a clear explanation of what my project is.
Let me a while to think of these
Thanks again, you are so polite.