kepler has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I've got a question which someone might help. I want to provide rented scripts from my website. This means I have to check if the request comes from the right client. The problem is that the only way I've found is to check the variable HTTP_REFERER which gives - suposely - the domain where the request came from. The problem, is that as far as I know this can be faked. So I've thought in the REMOTE_ADDR variable. But this gives me the visitor - not the website - IP... Is there a way around this subject?... Kind regards, Kepler

Replies are listed 'Best First'.
Re: Client IP question
by thomas895 (Deacon) on Dec 21, 2015 at 21:24 UTC

    I'm assuming you're providing some kind of endpoint that webmasters (your clients) can link to/embed/whatever in their web pages. These typically work as follows: when your customer subscribes to your service, you provide some string that identifies their application. If you've ever used any commercial web analytics service, it's very similar.

    Perhaps you provide the customer something like this to embed in their webpage: 

    <script src="http://example.com/my_cool_javascript.pl?id=abc1234"></script>
    ...where that "abc1234" can be any string that your business uses to uniquely identify its customers.
    You would have to make it so that this value is also included in any other web requests that this javascript might make.
    When/if a customer's subscription expires, my_cool_javascript.pl will stop serving the javascript that it once did. You would need to devise some way of checking if a customer still has a subscription to your service.

    -Thomas
    "Excuse me for butting in, but I'm interrupt-driven..."
[reply]

      Hi

      I thought about it and there's only one way - I think - to be sure that the domain calling the scripts is a certified one. HTTP_HOST in Perl gives my host name. But in Javascript or php, window.document.location.hostname or $_SERVER'HTTP_HOST' gives theirs... So if a request with one id matching a client domain is made and a javascript code is sent and compares the two values, I might prevent a hijack. If the hosts don't match, I make an automatic redirect. What do you think? Regards,

      Kepler

[reply]

        It's impossible to prevent your javascript from being copied to some other site and being used from there. In fact, it's also trivial to spoof everything so as to make your service think that the actual customer is making the request.

        If this is a problem, find a way to restructure your service such that the APIs are private - not for being called by your customers' customers. For an example, look at Google's OAuth flow. Perhaps this will work, perhaps not - you haven't told us much about what exactly it is you're trying to accomplish.

        -Thomas
        "Excuse me for butting in, but I'm interrupt-driven..."
[reply]
        JavaScript document.location sounds plausible, but PHP $_SERVER['HTTP_HOST'] should give the same as Perl CGI's $ENV{'HTTP_HOST'}, because both should come from the (supposedly same) web server — or are you using client side PHP??
[reply]
[d/l]
[select]
Re: Client IP question
by stevieb (Canon) on Dec 21, 2015 at 19:23 UTC

    First, what do you mean by "rented scripts"? Perl scripts aren't something you can just lend out and expect to get back ;)

    The only real way to do this is use some form of authentication. Anything in the HTTP headers can be spoofed, as can the caller's IP with enough trickery.

    You need to explain the situation and problem case more clearly (ie. provide more details).

[reply]

Back to Seekers of Perl Wisdom