On my local server I have written a script that takes a username & password and confirms it is valid against my LDAP server.
I have a web site professionally hosted on a remote server. I have a CMS on the remote server and I would like users to use their LDAP credentials to gain access to that CMS.
My plan is to have a login form on the remote server. The form will POST the username/password to itself using https. It will then use CURL to POST the username/password again but this time across the internet to my local server, again using https. My local server will be setup to provide a simple "TRUE" or "FALSE" as a response. If the remote server gets back TRUE, session variables are set to permit access.
Security-wise, is this a safe practise. Should I consider another way?
note: I'm not particularly proficient with cURL but I think I can figure out how to do the above.
LDAP - Lightweight active directory protocol which is used to communicate with your active directory server.
LDAP is there only to authenticate & access AD server in most secure way.
Here is the solution for problem :
Customize existing login functionality of your CMS in a way like - If user his details check with AD server using LDAP whether user is exist in AD, if yes update his credential to your DB(Also keep flag that user is AD enabled), if user is present is AD & not there in your DB create that one.
Likewise after some time al your user from AD server will migrate to your DB & you are not required to keep seperate application to for user migration.
Also every time authenticating with AD is best to provide security but its all up to you, because after migration of all user you can remove this functionaity.
Related
I am hosting my site on xampp and want to auto login my website using LDAP. So as of now I use PHP to grab the windows current username and try to validate it with AD via ldap and it works.
But since PHP is server sided it only grabs current user of the system in which xampp is running how can I achieve it for every system connected via LAN. If I run it on any other system of intranet it shows the system's name which has xampp running on it.
Is there any way to grab windows current user details on the client side or is there any better and easy way for auto login.
Using the workstation-provided logon name is quite insecure -- there are ways to essentially spoof the logon information. When you trust the workstation's USERNAME value, you don't have any way to differentiate between "lisa logged into her domain named example.com" and "lisa logged into the official company domain named example.com". Possibly even "lisa logged into her computer in the workgroup she happened to name example.com".
Assuming you want users to be able to authenticate without having to enter their credentials, the secure path would be either to use federated authentication or the Kerberos token. If you have ADFS set up, federation auth can be acheived in PHP with Microsoft Graph. If the web server can communicate with the domain controllers, the web server can use Kerberos tokens and use the server version of the logged on username. See, as an example, this StackOverflow post.
Either way, users with existing Windows logons are able to authenticate to the website without typing credentials. Users who don't have existing Windows logons get prompted for creds.
So, here's my scenario:
I have a site where I can stream a live video feed from. The site is hosted using Apache, PHP, and MySQL. Users can log in to get access to the site through accounts stored in a mysql db. When going to the page where a user can actually watch the stream, the site is using jwplayer to load() a specific URL. The stream itself comes from an internal server process on another port. However, due to jwplayer being instantiated on the client side, I must pass a URL to it that is accessible remotely. For right now, I'm using Apache ProxyPass to proxy this url to the internal server process and that works just fine. The problem is that anyone could simply type in this url passed to jwplayer into VLC (as an example) and get the stream no problem.
Is there a way I can "proxy" a request to the internal server process using PHP where I can first authenticate the current user from the mysql db?
I've tried using Basic Apache Auth on the specific url path and that DOES prompt for a basic auth username and password. That works to prevent someone from hot-linking to my stream in VLC. However, I don't want users to have to use the basic auth login style and I'd like to continue using my mysql db authentication system. Is there a simple way that I can authenticate a user for the Apache Basic auth from a successful login to a PHP page?
Thanks.
I currently have an antiquated CMS system that I'm trying to add a realtime chat feature to. The CMS runs using IIS, MSSQL and PHP.
The chat feature will run from a separate linux box running Nodejs and Socket.io
I've managed to get the CMS to successfully open a connection to the Node server and now I need some way of authenticating the user.
The Node server will NOT have a database behind it
The Node server will NOT be able to access the CMS other than through the socket
The possibility of new CMS users (very regular occurrence) means I can't just copy the users passwords to the Node server
My only idea at the moment is to put together an array of user data (id, name, email address), create a hash of this data and then send both the data and the hash to Node. The Node server would then attempt to hash the data and validate it against the hash sent by the CMS. (obviously both the CMS and Node would have a predetermined private salt for the hashing)
Is there a better way of achieving this?!
A good rule of thumb is: Don't roll your own crypto unless you're a cryptographer, and even then think twice.
My suggestion would be this:
Run both servers over HTTPS, on their own subdomain (same domain obviously)
Use a *.domain.com cookie domain on your session cookie, with the Secure and HttpOnly flags so that both subdomains can see it
Persist your PHP sessions in JSON to an external key/value store which both servers can access
The Node server can then simply look up valid sessions according to the ID in secure cookie
I started to develop a web application as a major project for my degree. Purpose of app is not important. My problem is handling the login. I have no problem with setting up login with jQuery mobile, that is actualy working pretty well. Problem is I'm handling login with php script through ajax and creating session in that process. So for checking if user is logged in or not I'd normaly use a php script, but in this case I can't. I need to keep using only client side for authentication. What would be the solution for this? Can I handle authentication with some native jQuery functions or do I need to write some JS scripts? If anyone have any solution please I don't need actual code, just best solution. Thank you
You can achieve this as long as login authentication is restricted to the device. What I mean is that user-id / password combination can be stored locally on the device. You may choose local file system storage for this. Here are the steps:
1) Make user register with uid/password
2) Check uid is existing in your local storage. If not register by writing it to local storage.
3) Later when user returns, validate login credentials against the local store.
I assume you're developing a native app with a mobile web framework. In this case you have two choices:
POST the login details out to a server somewhere, authenticate and return the session, allowing the user access. This will obviously require internet access, but will be more secure.
Store the credentials in local storage using JavaScript when the user signs up. Encrypt this value and compare against it when the user logs in.
I'm developing an online application that will have many outside users. As for now my connection method is to host a centralized database for all users, while they connect from their own server files.
Method:
PHP Connection File (hosted on their server; file provided by me) >> Connects to my MySQL Database
Now obviously I need to provide my database user and pw info, but I know that questions security.
So to my point, how would I provide database access to outside users(different servers) without giving up security.
Or if someone has a better method I'd love to hear it. Thanks!
Create an API in php, sort of webservice with an interface that you define and host this API on your server.
Each user (script that runs on users server and uses your API) needs a personal API key or access code they need to register to the webservice.
Take a look at well known API's like Google maps or something similar. Oh even stackoverflow has one
Create a signup form for users and store their own UserID and Password in a table on your site. Then create a PHP interface for them to upload their files. That way, you need only validate thier own UserID and Password through a HTML/PHP form to allow them to sign in, and your MySQL creds stay safely hidden.