stackoom
  简体   繁体   中英

Get IP address of original server in iframe request (PHP)

 原文  2017-08-06 02:54:04       php/ html/ iframe

Question

I am aware of $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'] but these obviously only return the address of the end user (browser) I have two servers, and i call a page on Server A from Server B (Web server) (normally passing a form and post data to it from a form on the first and displaying in an iframe) Naturally this is cross domain. I want to do a failsafe to ensure that the post data is only being sent from the website, but things like a hidden input box is too easily spoofed.

Is there a way to for it to parse the address of the web server without putting it into the forms input data?

Im not great at explaining this, so im sorry if its confusing. But basically, i want it to be that if I spoofed post data to Server A's page from my own PC (or any other one for that matter) but not via the website interface of my webserver that it will reject the request.

(I can not think of a logical way to do this as obviously the php is server side but the website and form is all client site).

Best example I can think of, Googles Drive API, you specify where the request will come from, and if the request comes from a different address it will reject the request. (but obviously the form is posted from the clients address so this baffles me again)

UPDATE:

Using $.ajax with jsonp to retrieve a session ID from server-A (as @deymac suggested), and applying that to an input (token), however, the session ID is changing each time its called. 

<?php 
header('Access-Control-Allow-Origin: *');
session_start();
$get = (isset($_GET['get'])) ? $_GET['get'] : "";
if ($get == 'session')
{
    echo json_encode(session_id());
}
else
{
    $token = (isset($_POST['token'])) ? $_POST['token'] : "";
    $sessionid = session_id();
    if ($token === $sessionid)
    {
        Processing code in here.
    }
}
?>

echoing out the session id retrieved from the ajax query and the session_id() value, they aren't matching, at all.

1 answers

solution1
 0  2017-08-06 03:10:41

One thing you can do, to make it more difficult for people to bypass your form, is set a session id in the form

When the page loads: 

<?php
session_start();
?>

in html: 

<input type='hidden' name='token' value='<?php echo session_id(); ?>'>

when you submit the form, check that the session id matches the token

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get the IP address of the server address on which the request came in using php? GET and POST request not working for a ip-address (Internal server error) Get IP address of the server sending a request via html form get the request time and ip address iFrame Widget get URL and IP Address How do I get the local IP address of the server using PHP? PHP display server IP Address Get the ip address of client in php php, get client ip address Get IP address of ISP with PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM