Second Life Forums Archive - Looking for a way to tighten security on PHP side..

Lief Rush

Registered User

Join date: 15 Dec 2006

Posts: 18

10-30-2008 13:57

I am a novice in PHP, I know just enough to realize I know so little.. But has anyone seen some documentation anywhere about how to limit server side PHP scripts to people accessing them using a llLoadurl function call from LSL and within the client? I think in the header I could confirm that the referring server is Lindne Labs server and maybe identify the client, or would it be the regular browser showing up as header info since some have the client spawn the default browser? Also, how safe is this type solution if it is possible. I hope I made sense.

Essentially, does the client send the referer header to the server,and can I limit the users to those who come from that referer.

Hewee Zetkin

Registered User

Join date: 20 Jul 2006

Posts: 2,702

10-30-2008 15:12

I doubt the SL viewer passes any referrer information to external web browsers, but even if they did it could easily be spoofed. The same goes for the built-in web browser, which still originates its requests from your computer (not LL's servers), not that llLoadURL() can use that one anyway. Even music and media URLs are fetched directly from your computer. The only thing you can really verify is data fetched by SCRIPT through llHTTPRequest()/http_response, and I don't think that's going to help you much. You might want to try for some kind of registration/authentication method instead.

Pedro McMillan

SLOODLE Developer

Join date: 28 Jul 2007

Posts: 231

10-30-2008 16:34

There is a bit of header info that SL sends with an HTTP request from the internal browser, but as Hewee says, it can always be spoofed. The best way is really to have some kind of password or something which gets passed as a GET parameter... maybe make it random per user. (You can use llHTTPRequest in the background to pre-negotiate the password... but remember, it will be visible to the person using it!)

One way to limit folks using brute-force to crack the password is to temporarily block an IP address if it gets the password wrong. (You'd probably need to log IP addresses and timestamps in a database, and check the list for recent failed attempts every time a request comes in). Once again, it's not an ideal solution... but it's something anyway.

Laurence Corleone

Registered User

Join date: 12 Oct 2006

Posts: 126

10-31-2008 00:33

I put things I want to keep "more-secure" in their own folder and use an htaccess file requiring username and password within that folder. Username and password can be encoded in the url for your httprequest. If the requests don't come from your script they won't have the username/password and will get an access denied.

_____________________

There are no stupid questions, just stupid people.

Looking for a way to tighten security on PHP side..
Lief Rush Registered User Join date: 15 Dec 2006 Posts: 18	10-30-2008 13:57 I am a novice in PHP, I know just enough to realize I know so little.. But has anyone seen some documentation anywhere about how to limit server side PHP scripts to people accessing them using a llLoadurl function call from LSL and within the client? I think in the header I could confirm that the referring server is Lindne Labs server and maybe identify the client, or would it be the regular browser showing up as header info since some have the client spawn the default browser? Also, how safe is this type solution if it is possible. I hope I made sense. Essentially, does the client send the referer header to the server,and can I limit the users to those who come from that referer.
Hewee Zetkin Registered User Join date: 20 Jul 2006 Posts: 2,702	10-30-2008 15:12 I doubt the SL viewer passes any referrer information to external web browsers, but even if they did it could easily be spoofed. The same goes for the built-in web browser, which still originates its requests from your computer (not LL's servers), not that llLoadURL() can use that one anyway. Even music and media URLs are fetched directly from your computer. The only thing you can really verify is data fetched by SCRIPT through llHTTPRequest()/http_response, and I don't think that's going to help you much. You might want to try for some kind of registration/authentication method instead.
Pedro McMillan SLOODLE Developer Join date: 28 Jul 2007 Posts: 231	10-30-2008 16:34 There is a bit of header info that SL sends with an HTTP request from the internal browser, but as Hewee says, it can always be spoofed. The best way is really to have some kind of password or something which gets passed as a GET parameter... maybe make it random per user. (You can use llHTTPRequest in the background to pre-negotiate the password... but remember, it will be visible to the person using it!) One way to limit folks using brute-force to crack the password is to temporarily block an IP address if it gets the password wrong. (You'd probably need to log IP addresses and timestamps in a database, and check the list for recent failed attempts every time a request comes in). Once again, it's not an ideal solution... but it's something anyway.
Laurence Corleone Registered User Join date: 12 Oct 2006 Posts: 126	10-31-2008 00:33 I put things I want to keep "more-secure" in their own folder and use an htaccess file requiring username and password within that folder. Username and password can be encoded in the url for your httprequest. If the requests don't come from your script they won't have the username/password and will get an access denied. _____________________ There are no stupid questions, just stupid people.

Welcome to the Second Life Forums Archive

Looking for a way to tighten security on PHP side..