I am working on a PHP website which is using the php_svn module to retrieve data from our SVN repositories.
For this I have set internally a hardcoded user/pwd so I can connect (dirty way...)
Now I would like to connect using my current LDAP user. Means that once I try to connect to SVN, then PHP should be able to retrieve my current windows session (the client side that executes IE,etc..) and pass it to SVN so it will still recognise me without prompting user/pwd...
Not sure if this is possible but would be brilliant to achieve it :)
Has someone achieved something similar? In the php_svn site not much information is available for this specific point...
http://php.net/manual/en/book.svn.php
Thanks in advance!
It seems like you're trying to get a web request to be session based. Web requests are stateless (meaning each request starts over from a blank slate). If you want to maintain credentials between requests, you'll need to use some kind of session handler. PHP has a built in one. http://php.net/manual/en/book.session.php
You won't be able to directly access the 'windows session' however. The information has to make its way from the windows session, into the browser, which isn't really possible without some kind of browser plugin... the more realistic way to do this is: have the user log in to the website, submit their credentials, then store them in a PHP session, to be re-used by PHP on every subsequent page load.
Related
Since PHP sessions are basically cookies, and I am using them to authenticate logged in users (I know, I should move to tokens), is it possible to read the session cookie on my node app? (I want to create a simple chat that gets the logged in username from the PHP session, and on the way allow only logged in users to use the chat)
What would then be the preferred way to do that? (In terms of security as well)
**Edit: I am trying to get something sort of the node equivalent of this in PHP:
if(!isset($_SESSION['user_id']){
//don't allow access to the chat page
} else {
//show chat for logged user
}
A cookie is not language specific so if the cookie is there, you could certainly read it with node.js.
BUT, the browser only sends cookies to the server that they are associated with. So, if your PHP server is not part of the same sub-domain as the node.js server and the cookies are configured to allow sharing with sub-domains, then the browser won't send the PHP cookie to your node.js server.
To read cookies with Express, you can use the cookie-parser module. Samples for how to use it are in the doc. After installing the cookie-parser middleware, you would end up referencing:
req.cookie
to access that same cookie. To manage sessions using Express and node.js and keep track of server-side session state, one would typically use the express-session module.
I have a use case where I need to be able to access my site from the local server. Specifically, it's for a HTML-to-PDF export of parts of various pages, but this would be nice for testing parts of the website as well.
The problem is that we have a login splash page, which needs to be dealt with before I can access any parts of the website. It would be really nice if I could just call a command "wkhtml2pdf 'localhost/[myurl]'" and have it PDF some stuff, but it hits this splash page.
Is there some way that I can perma-persist just one single session on the server? Or enable login-less access from localhost? Or could I just add a new Apache entry that accesses our site, whitelists only localhost and somehow circumvents the login?
What's the best solution?
You can pass your session cookie as parameter in wkhtml2pdf to solve your problem.
You can also execute it from a php file like this.
exec("wkhtmltopdf --cookie '{$cookieName}' '{$cookieValue}' http://example.com");
Soliciting feedback on this solution now:
I whitelisted localhost via $_SERVER['REMOTE_ADDR'] in the login scripts to bypass the usual user authentication and get an automatic localhost-user login. The server is running, however, on a university LAN, so the LAN maybe really big, possibly enabling bidirectional TCP spoofing.
Should I be worried about this, or does someone need admin rights on the routers or something? I trust the IT folks, but not others.
I realize that this sounds like a separate question, but I feel that security relates to whether or not this is a good solution.
So if I use a server to make call to web page (cURL or file_get_contents or something), and that web page assigns a session to that call (like I use that call to add an item to a shopping cart), is it possible to then migrate that session to a user's browser from the server?
If I'm understanding correctly, you want your server code to browse to a separate site behind the scenes, do something there that creates a session, and then redirect the user of your app to that separate site, but using the same session you created.
If the session is maintained using a cookie, as is likely, than no, you can't -- you'd have to set the cookie in the user's browser as if it came from that other site, and you can't. In general, this seems like it would be prevented by any sort of session hijacking protection, which most decent sites do have.
The alternative, I suppose, is to proxy for your user for their entire use of that other site (i.e. they click on stuff in your app and you pass it on to the other site behind the scenes).
I would suggest to use simpletest's scriptable browser ( http://simpletest.sourceforge.net/en/browser_documentation.html ) to keep track of states while browsing the interwebs form your PHP codez
Probably not - That call to cURL / file_get_contents will likely generate specific session information for the machine that requested it (i.e. your server). The remote machine should be keeping track of things like IP address and other identifiable information to prevent such a maneuver.
If this is possible, then your shopping cart software is horrifically vulnerable to session hijacking.
I don't believe that is possible. But you can start a session between the user's browser and your server, which keeps track of the session cookie that the remote web page issues you.
I'm developing a FLEX application which has a Java Server as back-end.
What I need:
-The FLEX app can only be used if the user it's logged;
-The FLEX app also needs to know which user it's logged, because it will shows especific content about him;
-I need to perform authentication on every webservice call;
However, the webpages are being developed using PHP, as well the login system.
After some digging, I've discovered that I can use the PHP session ID for authenticate every webservice calls, by using the php-java-bridge so both PHP and Java can share the same session.
My problem it's that I don't know how the FLEX app can get the current PHP session ID. I know that it's possible to pass it by flashvars, but I think it's not secure.
If someone has other solution, even not using the PHP session id, I'd really appreciate it.
Thanks in advance.
I see no benefit for Flex to access the PHP Session ID directly; are you sure that's what you need?
The SWF files that Flex creates are intended as client side software. Whereas PHP and Java are usually used as server side software. Try not to treat your Flex app as if it were a server side program.
The way most web applications handle sessions is that the server sets some cookie on the client. The browser automatically passes that cookie with every request; and the server uses that cookie value to sync the request up with a server side session.I know ColdFusion and Java work like this and I assume PHP uses a similar mechanism.
Every time that your SWF (AKA Flex App) makes a request to the remote server, the request will include all cookies set by the server, just like it is a normal browser request. The server should automatically sync the Flex request to a server side session.
Does that help?
you can have a php page that will be called by flex using httpService, return the $_SESSION['userName'] or your session variable. if returned empty. stop the loading of the program. hope it make sense. coz i did the same thing..
I have a client running an ASP.NET application. Inside of that, there's a self-contained PHP wiki. The problem is that the wiki won't use the .NET authentication, so requests directly to http://foobar/path/wiki/ will resolve without forcing a login.
My simple solution for this is to run the PHP application in an iFrame from an .aspx file that will force authentication, and then use PHP to detect if the page is loaded outside of a frame and redirect if so.
I know this can be done with JavaScript quite easily, but I would prefer to do this test server-side before the Wiki content loads. I need help figuring out a way that this can be done. Referrer comparison perhaps?
Any suggestions?
Thanks!
There is no way to tell on the server-side if a client's browser is loading a page within a frame, tab, or dedicated window.
What you can do is have your .NET application set a cookie after authenticating that the PHP application will read. If the cookie doesn't exist then do a redirect to the authentication page.
Even with JavaScript this is not secure. One could simply request the Wiki pages and ignore the JavaScript. For example, I could use WGET to pull down all your content without ever authenticating.
If security is important, I would highly recommend figuring out a way to make the PHP app aware of the authentication.
The simplest approach, if this is all on one server, would be to have the .NET application store some sort of token after authenticating, somewhere PHP can access it. Then set a cookie that the PHP wiki will receive and check that value is a valid session for each request.