duanmao2774 2014-02-16 01:28
浏览 45
已采纳

使用php身份验证上传跨站点文件

I have two domain names (in two hosting locations). Domain 1 is a normal website with authentication. I am using Domain 2 as a place to just upload files (for storage). I am using angular-file-upload https://github.com/danialfarid/angular-file-upload from client side.

My backend code is super simple and it is current working .. but without any form of authentication.

<?php
header('Access-Control-Allow-Origin: *');
$fname = $_POST["fname"];
if(isset($_FILES['file'])){
  //The error validation could be done on the javascript client side.

  $errors= array();        
  $file_name = $_FILES['file']['name'];
  $file_size =$_FILES['file']['size'];
  $file_tmp =$_FILES['file']['tmp_name'];
  $file_type=$_FILES['file']['type'];   
  $file_ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));
  $extensions = array("jpeg","jpg","png", "gif");        

  if(in_array($file_ext,$extensions ) === false){
   $errors[]="image extension not allowed, please choose a JPEG or PNG file.";
  }
  if($file_size > 2097152){
  $errors[]='File size cannot exceed 2 MB';
  }     

  if(empty($errors)==true){

    move_uploaded_file($file_tmp,"images/".$file_name);
    echo $fname . " uploaded file: " . "images/" . $file_name;
  }else{
    print_r($errors);
  }
}
?>

Questions:

  1. How to make sure the user is authenticated in Domain 1 before they can upload files? I mean I could just change Access-Control-Allow-Origin but someone can easily go to Chrome Developer and do a POST upload from custom javascript.

  2. Is there a way to do #1 without getting overly complicated? Is it possible to pass some cookie values?

I have full control of both hosting sites so I can do whatever I want.

  • 写回答

2条回答 默认 最新

  • dongxiaoshe0737 2014-02-16 01:52
    关注

    Sharing a common secret

    One way is to share a secret, wich is only known to Site A and Site B.

    Suppose Site A and Site B know a common complex and non-predictable string salt [randomness source].

    If Site A authenticates a user, A creates a random string rndA, a valueThrough timestamp and then computes a hash like so:

       sharedHash = hash( rndA + salt + valueThrough )
    • Site A hands over this tuple to the client: [ sharedHash, valueThrough , randA ]
    • The clients hands over this tuple to Site B
    • Site B then verifies the client's rights using the same hash() operation.

    If B computes the same sharedHash and the current timestamp is still smaller than valueThrough, client gets authenticated.

    Letting Site A and Site B talk to each other

    Alternatively, Site A and Site B might talk directly to each other:

    • Site A hands over a security token to the client
    • Client hands over the security token to Site B
    • Site B then verifies the token by directly talking to Site A

    While this technique requires reachability of Site A <-> Site B, the former technique even works, if Site A and Site B can't exchange HTTP-requests directly.

    In both cases Generating cryptographically secure tokens might be of interest.

    Other and stronger techniques certainly exist.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值