I created an application in windows forms. Login to this application with a username and password. The application can only work after the user is authenticated. I do the user authentication on a php page on the Internet. With the HttpClient, I am sending the username and password to the php page and information about which application to authorize. If the username and password are entered correctly, I send a round of values with json from the php page so that the user can operate on the authorized screen.
So far, so good. However, there is a problem: If the user sets up a local server with Wampserver or a similar program and redirects my domain name to the local server from the host file, the username and password from winforms will be sent to this local server. The user may well generate the appropriate parameters from this local server and send them to winform in json format.
Finding the parameters in windows forms is not difficult with methods such as decompile. That's why I think the parameters can be found very easily. And I think the user can easily bypass my authorization request with local server method. How can I overcome such this problem? In any case, how can I verify from the real website on the Internet?
In my research on the internet, I read something like the username and password can be sent with the timestamp to the php page and compared with the hash values. However, I am very confused. Because I do not keep any hash values in the database.
I think, it would be like this:
var uri = new Uri("http://example.com/login.php");
var ipv4 = Dns.GetHostAddresses(uri.Host)[1];
if (ipv4.ToString() == "127.0.0.1")
{
// Localhost...
}