I have separate servers for my projects, and I would like to ask for stuff across all of them. I found that I had to use either PHP: file_get_contents or cURL, but then here is my question. Is there a way for my servers to verify which server can ask them execute stuff?
For example I use this script:
function is_ajax() {
// BOOLEAN return if AJAX
return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
}
to check wether or not the request is AJAX based.
I will probably have access to each servers IP address, if there is a way to use those.
I can tell that one of the things I want to execute is starting a session on SERVER B, after SERVER A has verified some informations. So to prevent other servers and scripts to execute without permission I want a way for my SERVER B to verify that it actually is SERVER A who's asking.
EDIT:
I am creating a session on SERVER A using a session class that saves the data encrypted in an SQL database.
Also by using session cookie parameters
session_set_cookie_params(
$cookieParams['lifetime'],
$cookieParams['path'],
$cookieParams['domain'],
$secure,
$httponly
);
And even though the servers are different, they share same domain name but are separated in sub domains across the servers, so maybe a way would be to let SERVER B see the session at SERVER A and then create a similar session?
If you have sessions stored in a centralized data store like memcached, then your servers would share the same sessions if they are accessed from the same domain. PHP supports storing sessions in memcached, so you just need to configure it (session.save_handler) to do so. Then all your session code would still work as is, but your sessions would be shared across servers.
I settle with the ?SOMEPASSWORDVARIABLE=LONGSPASSWORDWITHRANDOMCHARS
as #complex857 suggested.
as file_get_contents is run server side, it's not very easy to guess the file name file
the variable and the password, if the actual request could be monitored by monitoring your traffic from your server but the likelihood is very small
Use a [crossdomain.xml][1] file to specify which domains are able to make requests. Requests from other domains will be denied.
Related
I'll explain the setup quickly, we have multiple domains, running on 2 servers (Dev and Live), which all are populated from a CMS database on the Live server. I'm adding in 404 reporting, so each site logs any 404's it gets, and we can view them in the CMS.
Each site, when our Framework detects a 404 error, it does a curl call to http://cms.example.com/log404.php and sends the $_SERVER variable. At the top of the log404.php I have this code which wraps the whole logging code.
if (in_array($_SERVER['REMOTE_ADDR'], array('dev server ip', 'live server ip'))) {
Then in here I store the relevant bits of data from $_POST. The reason I did it this way, rather than each site just directly adding to the database, was if we want to change the logging code somehow (log different data, write it a file, change the database etc), it only needs changing once, rather than in 15+ different sites.
Is the above if statement a safe way to check if the data was posted by us, and not somebody else? Or would it be possible for somebody to manipulate the curl call so the REMOTE_ADDR appears to be one of our IP's?
$_SERVER['REMOTE_ADDR'] uses the IP address from the TCP handshake so the same answer as this applies: Is it possible to pass TCP handshake with spoofed IP address?.
So if this is over the internet, then you are safe from the IP being spoofed.
However, for extra protection you should also protect your log service with authentication (as #moonwave99 suggested) and you should only run your log service over a HTTPS connection.
Who creates a session and how does cookie and any role in it?
I was asked this question in a company's interview process and didn't know the answer. I would like to to know which side creates Sessions i.e whether the client side or server side and does cookie has any role in it.
Also how the server understands which session is provided to which client and which user of client if multiple users are logged in?
What’s the difference between a cookie and a session in PHP?
PHP sessions improve upon cookies because they allow web applications to store and retrieve more information than cookies. PHP sessions actually use cookies, but they add more functionality and security.
Sessions store data on the server, not on the browser like cookies
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser. Sessions use a session identifier to locate a particular user’s session data. This session identifier is normally stored in the user’s web browser in a cookie, but the sensitive data that needs to be more secure — like the user’s ID, name, etc. — will always stay on the server.
Sessions are more secure than cookies
So, why exactly should we use sessions when cookies work just fine? Well, as we already mentioned, sessions are more secure because the relevant information is stored on the server and not sent back and forth between the client and server. The second reason is that some users either turn off cookies or reject them. In that scenario, sessions, while designed to work with a cookie, can actually work without cookies as a workaround, as you can read about here: Can PHP sessions work without cookies?.
Sessions need extra space, unlike cookies
PHP sessions, unlike cookies which are just stored on the user’s browser, need a temporary directory on the server where PHP can store the session data. For servers running Unix this isn’t a problem at all, because the /tmp directory is meant to be used for things like this. But, if your server is running Windows and a version of PHP earlier than 4.3.6, then the server will need to be configured – here is what to do: Create a new folder on your Windows server – you can call it something like C:\temp. You want to be sure that every user can read and write to this folder. Then, you will need to edit your php.ini file, and set the value of session.save_path to point to the folder which you created on the Windows server (in this case, that folder is under C:\temp). And finally, you will need to restart your web server so that the changes in the php.ini file take effect.
Sessions must use the session_start function
A very important thing to remember when using sessions is that each page that will use a session must begin by calling the session_start() function. The session_start() function tells PHP to either start a brand new session or access an existing one.
How session_start in PHP uses cookies
The first time the session_start() function is used, it will try to send a cookie with a name of PHPSESSID and a value of something that looks like a30f8670baa8e10a44c878df89a2044b – which is the session identifier that contains 32 hexadecimal letters. Because cookies must be sent before any data is sent to the browser, this also means that session_start must be called before any data is sent to the Web browser.
link-1
link-2
link-3
link-4
The server creates the session and sets the cookie, which is stored in the client's browser. The cookie contains a session identifier (a string of characters) that allows the user to access a particular session on the server. This session identifier corresponds to the session on file.
Hi I have to retrieve data from several web servers. First I login as a user to my web site. After successfull login I have to fetch data from different web servers and display. How can I share a single session with multiple servers. How can I achieve this?
When I first login it create session and session id saved on temp folder of that server. When I try to access another server how can I use current session that already created when I logged in. Can anybody suggest a solution?
You'll have to use another session handler.
You can:
build your own (see session_set_save_handler) or
use extensions that provide their own session handler, like memcached
In complement to all these answers:
If you store sessions in databases, check that garbage collecting of sessions in PHP is really activated (it's not the case on Debian-like distributions, they decided to garbage sessions with their own cron and altered the php.ini so that it never launch any gc, so check the session.gc_probability and session.gc_divisor). The main problem of sessionstorage in database is that it means a lot of write queries and a lot of conflicting access in the database. This is a great way of stressing a database server like MySQL. So IMHO using another solution is better, this keeps your read/write ratio in a better web-database way.
You could also keep the file storage system and simply share the file directory between servers with NFS. Alter the session.save_path setting to use something other than /tmp. But NFS is by definition not the fastest wày of using a disk. Prefer memcached or mongodb for fast access.
If the only thing you need to share between the server is authentification, then instead of sharing the real session storage you could share authentification credentials. Like the OpenId system in SO, it's what we call an SSO, for the web part you have several solutions, from OpenId to CAS, and others. If the data is merged on the client side (ajax, ESI-gate) then you do not really need a common session data storage on server-side. This will avoid having 3 of your 5 impacted web application writing data in the shared session in the same time. Other session sharing techniques (database, NFS, even memcached) are mostly used to share your data between several servers because Load Balancing tools can put your sequential HTTP request from one server to another, but if you really mean parallel gathering of data you should really study SSO.
Another option would be to use memcached to store the sessions.
The important thing is that you must have a shared resource - be it a SQL database, memcached, a NoSQL database, etc. that all servers can access. You then use session_set_save_handler to access the shared resource.
Store sessions in a database which is accessible from the whole server pool.
Store it in a database - get all servers to connect to that same database. First result for "php store session in database"
is it possible and how to pass php session variables i have with a php and apache.
I have a main site with log in option for my users that runs from apache server and I want to use nginx as a chat/communication server that automatically gets all session variables i have in apache/php session without to pass php session id (for security reason). Both servers have a same ip and stais on a same domain. Nginx server will be on subdomain. Already have set php session to work on any sub domain but is this is valid also if I use nginx server.
Any example will be helpful.
Thanks in advanced.
Technically, the php sessions are files, which are usually located somewhere in /tmp. So once you've the session cookie, you can just read and unserialize the file's contents — after checking, it goes without saying, that the session is not expired.
If you need a more convenient format, look at php's session options. I'm quite sure you can serialize it as json for more portability, and there are ways to store sessions in SQL or even memcached.
I am experiencing difficulties retrieving a cookie in an environment where the URL is http//somesite.com and the request is sent through a load balancing application and farmed out to various servers. I can set the cookie using setcookie in a PHP script as follows:
setcookie("NameTest", $cookieText, time()+3600, "/");
and a cookie somesite.com is created however when I attempt to read the values back from that cookie on the running system I never find the created cookie. I know there must be a way of doing this but haven’t found anything I can use. Can anyone tell me how to accomplish this function?
This of course works perfectly on a single server without the load balancing routine
Cookies are round-tripped client<->server on every request. If the cookie's not present on subsequent requests, you'll have to figure out why the client isn't sending it. If the load balancer is transparent to the end user, then it shouldn't matter which server is handling the request - the client would've send the cookie regardless. So if it's not being sent, then it's not being set properly in the first place.
Yes you can, because externally the client sees same IP and domain address. But if you need to share SESSION info, you have to use something like memcached or mysql to share session data between nodes.