Get request host in PHP

I'm developing a website by Zend. Some people create a html file imitate my login view. Action in form point to my controller to submit. I don't other login outsite from my websites. So how can I prevent other domains submit form to my controller? I tried to get request host name of "requester pages" to compare theirs domain with mine, then return error if user login from other sites.

Answers


  1. you could check the refferer if it is in your domain (or empty)

  2. add a hidden input field an generate a token on every display. if the token is wrong, don't continue and redirect them to your login page. Be sure that every token can only used once, by one user (same session/ip) and only for e.g. 1 hour

EDIT: see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet


Check the ZF manual for CSRF protection, which is the standard, built-in way to solve this problem.


there would be easiest way to prevent out side users to login into your site

  1. user zend captcha to generate every time new code to login session

you can use below link as reference to use in login page

http://mnshankar.wordpress.com/2010/06/01/zend-form-element-captcha/


Need Your Help

How to prevent browsers from remembering checkbox state?

javascript html asp.net browser autocomplete

In a web form, when I programatically uncheck checkboxes which was previously checked, the browsers try to "remember" the previous state and check them again after postback.

Generics: What is the difference between ?, Object, and raw type of a single instance?

java generics

I know the difference between a Collection<?>, Collection<Object> and Collection.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.