Background:
We currently have a fully functional CAS implementation using JSP, but want to migrate it to a PHP implementation.
Currently, we have a central CAS server that authenticates the user and redirects them to a landing page(in JSP), which then takes their authentication data and passes it onto a third-party-application.
In this JSP we use the following snippet to retrieve the user's data
String usr = request.getParameter("id");
String nid = session.getAttribute("netid");
Question
How do I retrieve this information using PHP?
I have tried doing:
$_GET
$_POST
$_REQUEST
$_SESSION
and more.
I have a feeling that I may need to install phpCAS in order to do this, but do not want to do so unless absolutely necessary.
Thank you for your time.
Every consumer of a CAS service ticket needs to be able to validate a token, parse the response, etc. It seems like you're currently using some JSP-based CAS client which is doing the work for you? (possibly Yale's, as the Jasig one does not deal with JSP). If you want to switch your client to a non-JSP/Java application, but to a PHP one, your best option is to protect that page/client application with phpCAS. phpCAS will intercept the ticket in the url, validate it against the CAS server and set the appropriate session variables.
Here's a simple example of phpCAS in action:
https://github.com/Jasig/phpCAS/blob/master/docs/examples/example_simple.php
Alternatively, you can write your own interception/validation/parsing code, but since this is a security product, I recommend using one of the well-known/tested clients.
Related
I have a slightly strange scenario, but a problem that needs solving all the same!
Please note, the websites described below are on different top level domains
I have two web applications, 1 ASP.NET MVC, and another in PHP, both on separate domains. Lets call them asp.com and php.com. Users authenticate on asp.com, and therefore have an authcookie set by ASP.NET.
Now the php.com website fetches data via a rest service from asp.com. This rest service authenticates via the same mechanism, so when I call this rest service via javascript JSONP from php.com it works fine. However I wish to call the same REST service from the server in PHP.
Is it possible to somehow get the asp.com website to copy and set an authcookie for php.com (the domain is known and trusted), and then in the PHP code pass this cookie on to athenticate against the REST service on asp.com?
It doesn't need to be the exact AUTH cookie, I could create a new cookie with the relevant session key, an long as a valid authcookie could be created and submitted to the REST service.
Questions
Is this possible?
How do I set the cookie for php.com in asp.com?
Short of one of the domains becoming compromised, are there any
security concerns?
No
The first site, asp.com, will have to redirect to a page in php.com. Then php.com can set the cookie itself, and redirect back to asp.com.
Yes, which is why you can't do it.
Also, see this answer.
This may be a question someone has already asked. (If it is I'm sorry, I could not find another question like this.)
I designed a webapp on PHP-NODEJS-Static HTML. I send a form from the static HTML to the NODEJS app to get approved. If approved I want the nodejs application to redirect to a php page. I already have the nodejs application up on heroku, and it is designed so if it is approved, it automatically redirects to a php page. The problem is that I only want the redirects from the server to be able to display the php page if that makes any sense. How do I go around doing this.
You'll need to have your nodejs, before redirecting, create a secure one-time token. The token should be embedded into the URL pointing to the PHP server (the one that the browsers will follow for redirect), and stored in a database (probably associated with an expiration, umm, say 5 minutes?).
When PHP page receives the request, it should extract the token from the URL, and validate whether the token exists, and only proceed further then. PHP page should also remove the token once used. You will need some sort of a database to store the token, I would recommend Redis, as it has an automatic expiration of keys, so you don't have to worry about clean up, or clogged database.
I put in situation:
I have a website entire make in PHP 5.3 and MYSQL, the site need to user to login for get access, the login "simply" check user/password and create a $_SESSION in the domain with the user ID and other user non-personal data.
In PHP i need to read this $_SESSION to detect if user is logued.
Now, i think in create a NodeJS real-time chat with websockets (only work in last browsers obiously, but i looking for pure HTML5 site, not external client-js like socketio.js), but here is my problems:
First problem I need to get the $_SESSION['user'] in the NodeJS, for make this i need to "pull" from PHP TO NodeJS, send a message like "update-this-user-auth" with the $_SESSION['user'] data, but the problem is, first HOW is the best way to pull from PHP Server to NodeJS Server runing in the same (or not..) machine.
And second problem HOW identify the user in NodeJS, because the user have $_SESSSIOn in PHP but i dont know if the request is from user nº1, nº32 or nº 999999.
For the problem of the comunicate from PHP to NodeJS I read some posts, and get 2 ways:
CURL User, usin PHP Curl to "call" a NodeJS service, and send-read data from PHP to NodeJS
Sending messages from PHP to Node.js
DNODE, i found this googling, have good look, but require some extra librarys, and i like to make the code clear and preferably simple.
http://bergie.iki.fi/blog/dnode-make_php_and_node-js_talk_to_each_other/
I thanks to all ideas and comments for the best solution to this two problem.
With PHP:
You can save a random generated key in the database, associated with user's ip, user id and any other session information (time created, last active, expiration date...). Also, save that key in a cookie too.
With Node.js:
Read the cookie, find the key in the DB and check if the session is valid or not.
So, basically, instead of storing all info in PHP, use a shared storage like for example a DB.
I'm making a PHP app to allow our customers to retrieve information from our database, using pre-defined functions. Perhaps PHP isn't the best choice for this, but the same page is also used as a backend for a flash app, and we don't have the time to rewrite it in another language (still, if we did have that time, I'm open to suggestions).
They will access the page via a URL, something like:
http://myurl.com/test.php?function=getUser&username=John
This will call the function getUser($username) and pass the value John as the $username parameter. Here's the twist: this page will be called from an application that the customer creates, not from a browser.
They are allowed to get info about some users, but not others. To enforce this, I require them to provide login information. I'm not sure how I can keep that user logged in so that they don't have to pass their login information every time they call a function, which can be multiple times per second.
I don't think I can use sessions or cookies, since they are not calling the page from a browser. So how can I keep that user logged in?
You can look into setting up something like a SOAP API on your end. Then, you can provide them with a token that goes back and forth (and possibly changes) between each request they make.
Have a read over SOAP and see if it gives you any inspiration at the very least. As far as implementing it, your options are many. Maybe consider using a framework?
You've hit the stateless wall :D .
You will either need to create a session aware browser client object with some library or some token exchange. But as long as you are using a separate session between calls you will need to hit the database again to authorize the user; token or not.
Simple answer: You can't, since HTTP is stateless.
But: You can use the same principle as cookies do, which is "send some authentification info along with the request without transmitting the secret". Have a look into OAuth and if it fits into your scenario. You can even use ready-made libraries for PHP.
Almost everything is in the title :
Here's what I'd like to do :
A nice html page with a php authentication process (http first then https & so on)
Launch a flex app which knows (I don't know how (this is the actual question !)) the user has already been authenticated and display his/her stuff he/she has to do for the day (or whatever...).
Of course if someone try to call directly the flex app I would display an "authentication error" message and then redirect to the authentication page.
I'm sorry for my English which is perfectible.
I was thinking about the session cookie : first authenticate then ass a variable on the server side, something like :
$_SESSION['authenticate']=true
Then, on the flex side, just send the cookie and ask if the user is properly authenticated, something like calling a php web page like :
https://is_authenticated.php?php_session=xxxx
Thank you
Olivier
What are you using on the server side? Remember that you shouldn't do anything in the flex application other then send the SESSION ID along with any requests. Any time where the client checks security, you have a bug. The server must validate the session and determine if the request is allowed.
It sounded in your last comment that you are worried about people manually calling a web page. Each page must check to see if the user is authenticated. I don't know your specific application, but you may try looking at AMFPHP and see how they do session authentication. Good luck!
Your on the right track!
You could use session-authentication, these links might help you out:
http://www.zend.com/zend/spotlight/sessionauth7may.php
http://www.tizag.com/phpT/phpsessions.php
There is also the possibility to use http-authentication
http://se2.php.net/features.http-auth
however http-authentication is not as flexible as session-authentication, and also means some more configuration on the serverside.I would therefore recommend you to stick with sessions.
This is exactly what I would do.. A few things to consider from a security standpoint:
If your php service (from flex) gets an unknown session token, always generate a new one. This also applies to your PHP application and is often overlooked.
I would generate the swf with javascript, and manually insert the session cookie using javascript. This way people won't download and safe (or cache) your php pages with sessions that are invalid in the future.
Even better would be to use a separate token other than the session, and on the server figure out what the session id was based on this flex token.