Watch My Domains SED API and PHP session id

This is a quick tip for using the Watch My Domains SED API from a PHP script. Remember that this has security implications because a session id will be passed as a URL parameter. You should restrict access to the modified script and use it only within intranet.

The stateful API exposed by Watch My Domains SED v4 allows creating your own customized web interface using Javascript and HTML. However it is not suitable for easily and quickly obtaining information using, for example, a PHP script.

This problem can be fixed by making the PHP script use it’s own session id, allowing you to authenticate and then call any API query to get / set the required information.

The first step to enable this is to make a copy of the api.php file in the root installation folder and save it to another name, say myapi.php. Then open myapi.php and add something similar to this

if(isset($_REQUEST['seid'])) {
     $seid = $_REQUEST['seid'];
     // add code here to ensure that $seid has only valid chars
     session_id($seid);
}

at the top, before the…

require 'lib/php/loader.php';

You may want to change the parameter from ‘seid’ to something else. You can also add some code that checks $_SERVER[‘REMOTE_ADDR’] and allows access from only specific IP addresses.

Important: Do not change or modify the original api.php file.

In your PHP script to get or set information using the API you should now use myapi.php instead of api.php. You should also pass a session id (created using session_create_id) to myapi.php as a parameter (seid or whatever you named it).

$seid = session_create_id('nxert-');
$url = "https://labs.softnik.com/wmdsed4/myapi.php?seid=$seid";