How to protect access to a url?

Question

I would need to create a php file that will do some work on my webserver and that will be called from a program on another server over the internet. Suppose the php file that will do the work is located at www.example.com/work.php

What is the best way to protect unsollicited calls to the www.example.com/work.php?

What I need is some mechanism so that when the intended program accesses the url (with some query string parameters), the work gets done, but if somebody type www.example.com/work.php in their browser, access will be denied and no work will be done.

The way I've thought is to add some 'token' in the querystring that would be constructed by some algorithm from the calling program, a sample result could be to append to the url :

?key=randomKeyAtEachCall&token=SomeHexadecimalResultCalculatedFromTheKey

and the key and token would be validated with a reverse algorithm on the php side.

Is that safe, Are there any better idea?

Answer 1

You can try several thinks !

First try to allow access only from the server that will make the call to your work.php with .htaccess like that:

<FilesMatch "work\.php$">
    Order deny,allow
    Deny from all
    Allow from 111.111.111.111
</FilesMatch>

where 111.111.111.111 is the IP of the server that will call the script.

Another thing you can do is to create a kind of password and send it to the work.php in order to allow the access only to users with password.

In example.

The server that call the script:

$hash = md5('my_secret_key' + date('dFYaG'));

// You can also use any other method you like to call the other script
// such us cURL, sockets and so on.
$f = fopen('http://www.myothersite.com/work.php?skr=' . $hash, 'r');
fclose($f);

and the server that hosts the work.php

$hash = md5('my_secret_key' + date('dFYaG'));

if($hash != $_GET['skr'])
{
    die('You do not have permission to access that file...');
}

// Rest of your code goes here

Answer 2

Depending on how you're accessing it, you can simply have a table with registered API keys, use POST to embed the data in the http request, and check both if the POST variable is set, and if it matches a registered API key.

Alternatively, you can have an API password which is turned to a key server-side before being compared for a greater amount of security (if someone has the straight API key from the database and submits it to work.php, it won't evaluate properly once run through, say, an md5 hash).

Answer 3

You could simplify your idea a bit by just coming up with a really long hash and hardcoding it on either side. Consider it like an API key for your service (similar to something you might receive from a service like reCAPTCHA or Twilio or something like that).

Answer 4

What about generating an RSA keypair? Then encrypt a secret string with the public key (with your application) and keep the private key safe in your PHP script. If the string passed to PHP can be decrypted with the private key (and the string verified), then its your application (unless of course, your application has been broken and the public key extracted).