I have a setup in which
- the user may or may not log on to my site,
- the user submits a form to a 3rd party service, and
- the 3rd party service does its thing, then invokes a “webhook” on my site, forwarding all
$_POSTdata.
So, to illustrate:
+---------------------+ +---------------------------+
| mysite.com/form.php |-------->| thirdparty.com/submit.php |
+---------------------+ +---------------------------+
|
v
+---------------------------+
| mysite.com/webhook.php |
+---------------------------+
If the user was logged on at the time of submitting the form, then how can I tell and authenticate this fact in the webhook?
For example, I could naively set a hidden field,
<input type="hidden" name="loggedOn" value="true" />
But anyone can spoof that. I thought I might pass through the user’s password hash,
<input type="hidden" name="passwordHash" value="$2a$08$Lg5XF1Tt.X5TGyfb43vBBeEFZm4GTXQhKQ6SY6emkcnhAGT8KfxFS" />
Effectively making the webhook “log in” again, but this can’t be correct, as it would expose the user’s password hash to the client-side.
I think there must be a better way to do this using session mechanics but I’m new to sessions. Perhaps I’m missing the appropriate vocabulary? Would someone guide me in the right direction? Thanks!
EDIT:
After further research I believe the correct method is to set a hidden form field sid to the session id, session_id(), in order to pass it to the webhook, which in turn will use the session id to continue the session, session_id($_POST['sid']); session_start();. My question is now whether this is the canonical (and secure) solution.
Using session ID is good for keeping track of who made requests and provide some security protection.
You could also consider making each request to the third party contain: