在iframe请求(PHP)中获取原始服务器的IP地址
[英]Get IP address of original server in iframe request (PHP)
问题描述
I am aware of $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'] but these obviously only return the address of the end user (browser) I have two servers, and i call a page on Server A from Server B (Web server) (normally passing a form and post data to it from a form on the first and displaying in an iframe) Naturally this is cross domain. 
我知道$_SERVER['REMOTE_ADDR']和$_SERVER['HTTP_X_FORWARDED_FOR']但是这些显然只返回最终用户(浏览器)的地址,我有两个服务器,并且我从服务器B调用了服务器A上的一个页面( Web服务器)(通常将表单传递给表单,然后将数据从第一个表单发送到表单并在iframe中显示)自然地,这是跨域的。 I want to do a failsafe to ensure that the post data is only being sent from the website, but things like a hidden input box is too easily spoofed. 我想做一个故障保险,以确保仅从网站发送帖子数据,但是像隐藏的输入框之类的东西很容易被欺骗。
Is there a way to for it to parse the address of the web server without putting it into the forms input data? 有没有一种方法可以解析Web服务器的地址而不将其放入表单输入数据中?
Im not great at explaining this, so im sorry if its confusing. 我不太善于解释这一点,因此,如果造成混淆,我感到抱歉。 But basically, i want it to be that if I spoofed post data to Server A's page from my own PC (or any other one for that matter) but not via the website interface of my webserver that it will reject the request. 但基本上,我希望是这样的,如果我从自己的PC(或与此有关的任何其他PC)中将发布数据欺骗到Server A的页面中,而不是通过我的Web服务器的网站界面欺骗,它将拒绝该请求。
(I can not think of a logical way to do this as obviously the php is server side but the website and form is all client site). (我不认为这样做是合乎逻辑的,因为php显然是服务器端,但网站和表单都是客户端站点)。
Best example I can think of, Googles Drive API, you specify where the request will come from, and if the request comes from a different address it will reject the request. 我能想到的最好的例子是Googles Drive API,您可以指定请求的来源,如果请求来自其他地址,它将拒绝该请求。 (but obviously the form is posted from the clients address so this baffles me again) (但显然表格是从客户地址寄出的,这又使我感到困惑)
UPDATE: 更新:
Using $.ajax with jsonp to retrieve a session ID from server-A (as @deymac suggested), and applying that to an input (token), however, the session ID is changing each time its called. 使用$ .ajax和jsonp从服务器A检索会话ID(如@deymac建议),并将其应用于输入(令牌),但是,每次调用时,会话ID都会改变。
<?php
header('Access-Control-Allow-Origin: *');
session_start();
$get = (isset($_GET['get'])) ? $_GET['get'] : "";
if ($get == 'session')
{
echo json_encode(session_id());
}
else
{
$token = (isset($_POST['token'])) ? $_POST['token'] : "";
$sessionid = session_id();
if ($token === $sessionid)
{
Processing code in here.
}
}
?>
echoing out the session id retrieved from the ajax query and the session_id() value, they aren't matching, at all. 回显从ajax查询中检索的会话ID和session_id()值,它们根本不匹配。
1 个解决方案
解决方案1
0 2017-08-06 03:10:41
One thing you can do, to make it more difficult for people to bypass your form, is set a session id in the form 为了使人们更难以绕过您的表单,您可以做的一件事是在表单中设置一个会话ID
When the page loads: 页面加载时:
<?php
session_start();
?>
in html: 在html中:
<input type='hidden' name='token' value='<?php echo session_id(); ?>'>
when you submit the form, check that the session id matches the token 提交表单时,请检查会话ID是否与令牌匹配
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.