I've written some PHP scripts to do some server-side work on a headless linux server machine on a LAN. For example, I have http://ipadress/php/operations.php?operation=registerUser&uName=X&uAlias=Y. Now, I want to secure my operations script so that; not everyone on LAN can call it and/or run it but; only the ones that ... have a pre-shared key...? This is the point I'm stuck at, requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution. What is/are a more secure way(s) of achieving client-limitation on php scripts?
(I'm thinking of maybe requiring a crypted key file from client when starting the session, and denying access to everybody who havent started a scure session...? That's just me theoratically thinking, have no idea where to start to do it in php.)
edit: I clealrly remember writing "requiring a pre-shared key through a GET/POST parameter would be easisest and probably the worst solution." at my original post, so please kindly stop answering with this same thing over and over again.
edit2: to clear things up: the operations.php is called by a program on client machines on same LAN. I dont want any non-client or stranger machine to use operations.php and dont want anyone to be able to access it through browser. I require some kind of security/authentication method to prevent that. I'm not looking for login forms or simple HttpAuths... Also, I cant just simply put limitations over IP adresses because; it's just not practical and kinda worse than hard coded non crypted passwords...
If you're using Apache with mod_ssl, it can force clients to authenticate using certificates that are signed by a specific certificate authority.
In theory, you could create just three certificates: Your signing certificate, your server's certificate, and one certificate to distribute to the clients.
This is generally considered a bad idea, though. It's usually better to distribute a separate certificate to each client.
It seems to me that you are asking a general question about authentication and authorization for web pages.
There are, of course, many different ways to achieve this. You can setup a session based authentication system that requires the user to enter a valid username/password before accessing the page/script. This could be as simple as a login form that is presented when the user tries to access the page unless they are authenticated. You can then use PHP's built-in session management to persist the authentication across pages.
Alternatively, you could do authentication at the web server level, for example in Apache, through HTTP auth.
The most simple way I can think of:
<?php
if ($_REQUEST['key'] == '38lkjsdIEjrkd' && $_SERVER['REMOTE_ADDR'] == 192.168.1.20) {
// load your web page
} else {
// show login or message about authentication
}
I hope that helps.
I second jonstjohn's opinion on HTTP authentication through creating a .htaccess (to allow only certain addresses to access the script) and .htpasswd (to define users who have access). However, this is true if you only need a quick solution for a few scripts.
If there are more scripts that require limited access, the best solution would be to create a class to take care of user logging and keep track of user session.
Generally speaking, embedding passwords and magic numbers in scripts is considered to be a bad coding style. Not to mention that those hard-coded "if"s are really hard to maintain.
Depends on the level of security you require. Basic Http Auth is simple to set up. See the manual.