I am aware of $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR']
but these obviously only return the address of the end user (browser)
I have two servers, and i call a page on Server A from Server B (Web server)
(normally passing a form and post data to it from a form on the first and displaying in an iframe)
Naturally this is cross domain.
I want to do a failsafe to ensure that the post data is only being sent from the website, but things like a hidden input box is too easily spoofed.
Is there a way to for it to parse the address of the web server without putting it into the forms input data?
Im not great at explaining this, so im sorry if its confusing. But basically, i want it to be that if I spoofed post data to Server A's page from my own PC (or any other one for that matter) but not via the website interface of my webserver that it will reject the request.
(I can not think of a logical way to do this as obviously the php is server side but the website and form is all client site).
Best example I can think of, Googles Drive API, you specify where the request will come from, and if the request comes from a different address it will reject the request. (but obviously the form is posted from the clients address so this baffles me again)
UPDATE:
Using $.ajax with jsonp to retrieve a session ID from server-A (as @deymac suggested), and applying that to an input (token), however, the session ID is changing each time its called.
<?php
header('Access-Control-Allow-Origin: *');
session_start();
$get = (isset($_GET['get'])) ? $_GET['get'] : "";
if ($get == 'session')
{
echo json_encode(session_id());
}
else
{
$token = (isset($_POST['token'])) ? $_POST['token'] : "";
$sessionid = session_id();
if ($token === $sessionid)
{
Processing code in here.
}
}
?>
echoing out the session id retrieved from the ajax query and the session_id() value, they aren't matching, at all.
