Welcome Guest, Not a member yet? Register   Sign In
Simple subdomains handler for CI3
#1

(This post was last modified: 04-04-2016, 10:05 AM by josepostiga. Edit Reason: Added validation warning )

Hey guys. Just wanted to share some useful knowledge on how to detect, and use, multi app system detection for CI3. It's pretty simple and straight-forward.

Edit your root index.php.
On the line where we define the $application var (default index.php set this to application), replace it with this:

PHP Code:
// checks domain
$domain explode('.'$_SERVER['HTTP_HOST']);

// switch domains
 switch ($domain[0]) {
     case 'admin':
         $application_folder 'admin';
         break;

     case 'bo':
         $application_folder 'bo';
         break;

     case 'api':
        $application_folder 'api';
        break;

     default:
         $application_folder 'application';
         break;
 

I use this to handle my SaaS apps, where I can map specific subdomains to different application's folders or use the default one to handle the customer specific application.

Please note that you should have some kind of validation for the subdomains you use here. See below for more details (thanks @albertleao).

This is probably one of many ways to do it. If you have done it differently, please share here!
Best regards,
José Postiga
Senior Backend Developer
Reply
#2

(This post was last modified: 04-04-2016, 08:15 AM by albertleao.)

This is very insecure as I can easily spoof my subdomain to an address.

This should be handled by having different environments
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#3

(04-04-2016, 08:14 AM)albertleao Wrote: This is very insecure as I can easily spoof my subdomain to an address.

This should be handled by having different environments

Can you elaborate on that?
Best regards,
José Postiga
Senior Backend Developer
Reply
#4

(04-04-2016, 08:26 AM)josepostiga Wrote:
(04-04-2016, 08:14 AM)albertleao Wrote: This is very insecure as I can easily spoof my subdomain to an address.

This should be handled by having different environments

Can you elaborate on that?

Sure.

The subdomain is another form of user input. It can be modified by changing hosts files on unix based systems, not sure how to on windows. 

But for example, a user can change their settings so that admin.website.com is actually coming from somewhere else. This can leave room for vulnerabilities.

The safest and most secure way would be to setup the environment on your server rather than have your app choose. Having a .ENV file or an global environment setup through apache or something is the way to go. Some web hosting companies, like AWS, allow you to set environments on boot up of instances.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#5

(04-04-2016, 08:48 AM)albertleao Wrote:
(04-04-2016, 08:26 AM)josepostiga Wrote:
(04-04-2016, 08:14 AM)albertleao Wrote: This is very insecure as I can easily spoof my subdomain to an address.

This should be handled by having different environments

Can you elaborate on that?

Sure.

The subdomain is another form of user input. It can be modified by changing hosts files on unix based systems, not sure how to on windows. 

But for example, a user can change their settings so that admin.website.com is actually coming from somewhere else. This can leave room for vulnerabilities.

The safest and most secure way would be to setup the environment on your server rather than have your app choose. Having a .ENV file or an global environment setup through apache or something is the way to go. Some web hosting companies, like AWS, allow you to set environments on boot up of instances.

Ok, now let's analyse this with te following in mind:

- It's a SaaS app, so we have a wild subdomain configuration that's, then, validated on the application for a valid usage license. E.g: customer.app.ext is checked against a database table for a valid license. If not, the application shows an invalid license error.

What kind of vulnerabilities could we have with this kind of configuration?

An .env file is kind of useless to this logic and I can't see how could you spoof an invalid address that could bypass the license validation? At least not one that couldn't be used for all web addresses.

Thanks for your share Smile
Best regards,
José Postiga
Senior Backend Developer
Reply
#6

If that works for you, then fine. But your initial post was about how to detect a subdomain and route it accordingly not how to detect a subdomain AND validate it with your app.

You have clearly thought out the problem I presented and fixed how you handle it within YOUR app. But by posting the initial snippet for others to copy without having your application logic to validate is bad practice and will leave other websites up for vulnerability.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#7

All I'm saying is that users will find this thread and see "Simple subdomain handler for CI3" and think your initial post is the correct way to handle subdomains, which it isn't. It may work for you in your application, because you added additional checks and hacked around the issue of valid/invalid users on sub domains, but others should be warned that the above method is not a plug-n-play or secure way of doing things.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#8

(04-04-2016, 10:03 AM)albertleao Wrote: All I'm saying is that users will find this thread and see "Simple subdomain handler for CI3" and think your initial post is the correct way to handle subdomains, which it isn't. It may work for you in your application, because you added additional checks and hacked around the issue of valid/invalid users on sub domains, but others should be warned that the above method is not a plug-n-play or secure way of doing things.

Yes, you're absolutely right. And I've edited my initial post to add that information.

All I wanted was to point people on the right direction, not tell them this is the best way to do it! In fact, I warned this is only one way to do it...

And again, thanks for your input Smile
Best regards,
José Postiga
Senior Backend Developer
Reply




Theme © iAndrew 2016 - Forum software by © MyBB