Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how safe is php curl in ssl/https?

Tags:

security

php

curl

session

I want to have two servers, Server A and Server B. Server A does all the authentication (username and password). If the user is authenticated at Server A, then Server A will send POST data of a session id, ip address, useragent, etc. of the user. Server B will receive all this data over SSL and will trust Server A and give access to the user. Also, Server B will only accept POST data from Server A by means of Server A's IP.

My question is, since the post data is sent over curl/ssl, can it be intercepted or stolen while in traffic? can the hacker view the session id in plain text(the most important component here)?

Is there anything I can do to increase the security of this method?

like image 758
user962449 Avatar asked Oct 15 '11 08:10

user962449

People also ask

Is PHP cURL secure?

Curl is as secure as a normal HTTP request.

Are cURL requests secure?

Curl supports SSL v2, v3, and TLS versions 1.0 through 1.3. Only TLS 1.2 and TLS 1.3 are considered secure today. In fact, most browsers no longer accept connections to SSL, and TLS 1.0 and TLS 1.1. Even the browsers that continue to support those deprecated TLS 1.0 and TLS 1.1 versions do so with severe warnings.

Can I use cURL in PHP?

Uses of cURL in PHPcURL is a PHP extension that allows you to use the URL syntax to receive and submit data. cURL makes it simple to connect between various websites and domains. Obtaining a copy of a website's material. Submission of forms automatically, authentication and cookie use.

How do I request HTTPS cURL?

How to send a client certificate using Curl? To send a client certificate to the server when communicating over HTTPS or FTPS protocol, you can use the -E or --cert command-line switch. The client certificate must be in PKCS#12 format for Secure Transport or PEM format if using any other mechanism.

1 Answers

You do not want to implement this with PHP because this is easily achieved with webservers alone. Your Server A handling SSL (there is even hardware for that) can act as an Central Authentication Service and as a Reverse Proxy to Server B. It's a common setup to divide responsibilites between servers. Research these topics please.

You can pick from a variety of solutions for this, ranging from a free solutions like nginx as a reverse proxy or commercial solutions like IBM's WebSEAL, etc.

And yes, when you use SSL, it is secure enough (when in doubt, buy an audit).

On a sidenote, this question is probably better suited for serverfault.com.

like image 104
Gordon Avatar answered Oct 15 '22 00:10

Gordon
Sign in to Comment

Related questions

Docx to pdf using openoffice headless way too slow
PHP namespaces : \My\Namespace or My\Namespace?
CodeIgniter: Counting results from a joined table
Remove date from wordpress images?
Identify EAN / UPC barcode numbers from image in PHP / JS?
php input stream size limitations
Is there a better way to create an alphabetic pagination index in PHP/MySQL?
How to mock an Object Factory
Euro sign not showing on site
select within 20 kilometers based on latitude/longitude
Difference between Transactional and Reporting Database
Handle multiple versions in same URL
Programming practice with a function
Are MD5-hashed passwords from PHP's crypt() portable to the Django password field?
Does PHP have an ordered dictionary?
How long can a php cron job run for / am I doing it right?
Alternatives to Pass both Key and Value By Reference:
Is there overhead using PHP Doc comments vs regular comments?
How to serve documents from outside the web root using PHP?
can php functions have keyword arguments? (like python) [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!