CodeIgniter Forums
Accept request from my app only - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forum-21.html)
+--- Thread: Accept request from my app only (/thread-11675.html)



Accept request from my app only - El Forum - 09-18-2008

[eluser]psycho-vnz[/eluser]
Hi,

I have an application with codeigniter and the application just must respond requests from IP address or domain of the app.

How i can handle those parameters with codeigniter ?

Thanks.


Accept request from my app only - El Forum - 09-19-2008

[eluser]Colin Williams[/eluser]
You don't need CI's help (but it is there)

Plain PHP

Code:
$ip = $_SERVER['REMOTE_ADDR'];
$domain = $_SERVER['SERVER_NAME'];

With CI:

Code:
$ip = $this->input->server('REMOTE_ADDR');
$domain = $this->input->server('SERVER_NAME');

I'm not sure to what degree either of these can be spoofed, but you might want to research that.


Accept request from my app only - El Forum - 09-19-2008

[eluser]thurting[/eluser]
You should really use a firewall for this.


Accept request from my app only - El Forum - 09-19-2008

[eluser]drewbee[/eluser]
I prefer to use tokenization to prevent this kind of activity. Its also useful for preventing double postage!


Accept request from my app only - El Forum - 09-19-2008

[eluser]Pascal Kriete[/eluser]
IP addresses are easy to spoof, particularly on packet level. The problem is that if you've spoofed the ip address you'll need to be around the server - usually in the same subnet - to catch the response.

I would go with a mix of ideas. Filter the ip (.htaccess filtering is easiest), and also send a unique token.
Most forms in your application should have a token anyways, to prevent csrf exploits.


Accept request from my app only - El Forum - 09-19-2008

[eluser]psycho-vnz[/eluser]
Thanks for the replys Big Grin , i'll try block the external requests to app using the .htaccess file with this option
Code:
<Limit GET PUT POST>
order deny,allow
deny from all
allow from .mydomain.com
</Limit>

If doesn't work i'll try with your examples, can post a example with token?

Examples with .htaccess

http://www.md.chalmers.se/Support/Howtos/htaccess.thtml
http://www.webmasterworld.com/apache/3537686.htm

Thanks to all


Accept request from my app only - El Forum - 09-20-2008

[eluser]psycho-vnz[/eluser]
.htaccess don't was usefully Sad now i'll try using tokens