How to authenticate a URL sent by Wordpress

joethall · July 8, 2014, 2:55am

I have in my Wordpress instance a page that links to an external web site thus - [advanced_iframe securitykey=“49fe9660e0fca647d8275c8f9a8b7d238b6c23a4” src=“http://www.zzzzzzz.com/NNNNNN.asp” width=“100%” height=“800”] and this link seems to work.

What I need to do is create something that amounts to a one-time-key that can be encrypted along with other information to identify the Wordpress user and attach the encrypted results to the above URL. It must be possible at the far end site to verify that this instance of the URL did, in fact, come from Wordpress.

grwebugy · September 5, 2014, 12:39am

If it it is light security, you could just verify the referrer and a generic key or timestamp to verifiy that it was within a certain interval of time.

joethall · September 5, 2014, 1:51am

Well, while not heavy security more than just light security is needed. The URL will be sent to a totally different physical system and thus the clocks between sending and receiving may not be close enough together.

What I think I need is a basic plug-in that can send a URL.

grwebugy · September 14, 2014, 1:24am

But you also need to “authenticate” that url on the other server, right?

joethall · September 14, 2014, 1:10pm

Yes, exactly!

grwebugy · September 14, 2014, 9:11pm

So, what do you have control of on both ends?

joethall · September 15, 2014, 12:27am

On the Wordpress end I have a PHP coded plug-in where I can run some PHP source that creates whatever I need (like a one-time-password, etc). It can suck out various pieces of information from the Wordpress web site (like username, email address, etc). It can combine all this information into a single string and then encrypt the string. Finally it can attach the encrypted string to a standard URL as a key parameter (https://www…com/some.php?key={encrypted string} and then redirect to it.

When the URL is processed across the internet eventually its contents will show up on some.php that is implementing a web site on some machine totally independent from the machine that was providing the Wordpress web site. some.php can decrypt the key (only the plug-in and some.php know the decryption key) and the parse out the various pieces of information - including the OTP.

Presumably, some.php can ‘verify’ or ‘authenticate’ the OTP and if such authentication fails simply exit. If the authentication succeeds then some.php can know that the URL could only have come from the Wordpress plug-in and it can proceed with normal web site processing.

Unfortunately, I do not know exactly how to 1) create a OTP or 2) authenticate it on a separate machine. I do have full control of the implementation of the Wordpress site on one machine and the target site on another machine.

I hope that I have the principles down pretty well, but I not knowledgeable of PHP nor the details of OTP.

Any help would be MUCH appreciated.