I want to have two servers, Server A and Server B. Server A does all the authentication (username and password). If the user is authenticated at Server A, then Server A will send POST data of a session id, ip address, useragent, etc. of the user. Server B will receive all this data over SSL and will trust Server A and give access to the user. Also, Server B will only accept POST data from Server A by means of Server A's IP.
My question is, since the post data is sent over curl/ssl, can it be intercepted or stolen while in traffic? can the hacker view the session id in plain text(the most important component here)?
Is there anything I can do to increase the security of this method?
Curl is as secure as a normal HTTP request.
Curl supports SSL v2, v3, and TLS versions 1.0 through 1.3. Only TLS 1.2 and TLS 1.3 are considered secure today. In fact, most browsers no longer accept connections to SSL, and TLS 1.0 and TLS 1.1. Even the browsers that continue to support those deprecated TLS 1.0 and TLS 1.1 versions do so with severe warnings.
Uses of cURL in PHPcURL is a PHP extension that allows you to use the URL syntax to receive and submit data. cURL makes it simple to connect between various websites and domains. Obtaining a copy of a website's material. Submission of forms automatically, authentication and cookie use.
How to send a client certificate using Curl? To send a client certificate to the server when communicating over HTTPS or FTPS protocol, you can use the -E or --cert command-line switch. The client certificate must be in PKCS#12 format for Secure Transport or PEM format if using any other mechanism.
You do not want to implement this with PHP because this is easily achieved with webservers alone. Your Server A handling SSL (there is even hardware for that) can act as an Central Authentication Service and as a Reverse Proxy to Server B. It's a common setup to divide responsibilites between servers. Research these topics please.
You can pick from a variety of solutions for this, ranging from a free solutions like nginx as a reverse proxy or commercial solutions like IBM's WebSEAL, etc.
And yes, when you use SSL, it is secure enough (when in doubt, buy an audit).
On a sidenote, this question is probably better suited for serverfault.com.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With