I have a ColdFusion website that is currently running well with login/register modules. I want to use my ColdFusion session in PHP. Can this be achieved?
As mentioned in the comments, no it's not really possible. CF and PHP cannot share in memory sessions variables. However, there are other alternatives such as using cookies.
I used that approach once because a client wanted to share sessions with PHP Forum software. I simply grabbed it using cookies, by finding what cookies were being set ie <cfdump var="#cookies#">. Then converted those cookies into sessions variables. (If you need it the other way around, try doing it in reverse.)
Another possibility is sending data securely by using encrypted URL variables. But we need to know more about your goal. Can you explain exactly what you are doing?
Related
I'm currently using a PHP login system that checks the user against a database and sets a logged_in cookie. Then when they logout the cookie is removed. I'm not familiar with how easily someone would be able to hack this system, i see a lot of people use cookies as well as sessions. Can someone explain to me like i'm 5 what the significance is of using it that way? In terms of security?
BTW that's all that i use in my login system, is there anything more i should be doing? It's just small websites i'm working with nothing super important.
Thanks in advance!
We store session on the server and store cookie on the client browsers. It is better if you use session instead of cookie.
I'm setting some cookie values where the values are slightly sensitive, but nothing too serious.
Basically I would like to encrypt the value, but just a very quick, basic method.
I'm thinking base64 but that seems to return a really long string.
It just needs to be really quick and simple. Quick being low processing time.
Something like this is too much: http://crackstation.net/hashing-security.htm
I'm using Symfony2 but I don't think there's anything in there to help me (e.g. built-in cookie encryption).
The NelmioSecurityBundle can encrypt cookies. https://github.com/nelmio/NelmioSecurityBundle#encrypted-cookies
If the data you want to store in the cookie are sensitive, you should not store them in cookies in the first place.
I recommend using sessions. This way the data will not be transferred to the user but will still be accessible by your PHP scripts on the server.
I am writing a PHP script that needs to integrate with an ASP.NET login (which happens to be built on Sitecore, not sure if that matters). I need to replicate the ability to generate/login/encrypt a session & data cookie, and also detect if the user is logged in by detecting/decrypting a session & data cookie. Both the PHP & ASP scripts can share the same MS SQL database and are on the same filesystem, so that's not an issue. Most of my issues are just with setting/reading the ASP cookies within PHP.
I have 2 cookies set by ASP.NET,
ASP.NET_SessionId and .ASPXAUTH
It is my belief that the ASP.NET_SessionId is for the session obviously and .ASPXAUTH is for the data.
My questions are:
It is my belief that in order to know if someone is logged in (or login someone in) via an ASP session, in PHP, I will need to compare the session data with the sessions stored on the filesystem, does anybody know where (or what determines where) these are located?
Does anybody know the algorithm used to encrypt/decrypt the ASPXAUTH cookie? I'm aware of the standard "Encrypt" and "Decrypt" methods, but I want to know the code that makes them run precisely. IE is it first some sort of data array that is then salted and hashed? Do the bytes of the output need to be shifted/converted? If so, in what order/way?
I appreciate any assistance, I will award an answer for the person that is the most helpful in answering either of these questions in the next few days.
Currently I have been able to reproduce cookie generation via setcookie() in PHP. That is, I can login via ASP.NET app, take the cookie data, plug it into the PHP app and logout via the ASP .NET app. For those who are going to troll me, I am well aware this is possible and I do not NEED to explain why I am doing this, but it involves a lot of time, money and reasons, so yes, I do need to use BOTH PHP & ASP.NET.
THANKS!
UPDATE
I believe I was partially able to decrypt the cookie using this answer: https://stackoverflow.com/a/988018/775586 Anybody know how to finish it off?
It is my belief that in order to know if someone is logged (or login
someone) in via an ASP session, in PHP, I will need to compare the
session data with the sessions stored on the filesystem, does anybody
know where (or what determines where) these are located?
Nowhere on the file system. By default ASP.NET stores session data in the memory of the application domain. So you can simply forget about accessing this part of the memory from PHP. There are other modes that you could choose which allow you to store the ASP.NET session data either out-of-proc (in a dedicated Windows Service) or in SqlServer. For more information about the different ASP.NET Session modes I invite you to read the following article.
Does anybody know the algorithm used to encrypt/decrypt the ASPXAUTH
cookie? IE is it first some sort of data array that is then salted and
hashed? If so, in what order/way?
It uses the FormsAuthentication.Encrypt and Decrypt methods. They in turn use whatever algorithm and keys you have defined in your machineKey section in your web/machine.config files. For more information about how Forms Authentcation works in ASP.NET I invite you to read the following article.
Okay so for the first question...
ASP doesn't store on the raw filesystem, but can store session data in a database if configured properly and you can specify where. From what I recall reading, this is in a database called "tempdb" or a database which may also have some sprocs in it. More info on that in more plain English here: http://www.codeproject.com/Articles/104082/Configuring-ASP-session-state-on-SQL-server
For the second and more important question:
This amazing article will give you a breakdown of how the ASPX_AUTH cookie is generated and the algorithm to do so: http://www.codeproject.com/Articles/16822/The-Anatomy-of-Forms-Authentication
I have implemented a login class in PHP, and want to create a remember me type functionality so users won't have to login with each visit. I have researched this a bit and was preparing to write it using PHP setcookie(...) but then ran across this page: How to Create 'Remember Me' using jquery , store cookies. I was planning on writing this in PHP since it's my strength, but this page makes it look so easy in js: http://www.quirksmode.org/js/cookies.html
I am looking for a little guidance on gotchas for each method, and more specifically issues related to security. I just want to make sure I don't complicate the task or open any holes by providing this type of functionality.
Thanks, Kris
OpenID, facebook connect, twitter signin
I would advice you not to right(read below for cookie rememberme information) your own login system, because coding a secure system is difficult(storing password secure is HARD). It also saves you a bunch of coding. For example when you sign in at my openid example using google you can tell Google to remember you for 30 days. The code used for my example can be found at my github page.
Http_only
You should use http-only cookies to protect yourself against cookie stealing(Try not to use cookies from javascript). The php function setcookie also has a http-only flag. For session you could achieve this using something like:
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
Do not Store data inside cookie
Also you should store as little information possible inside the cookies. Get the data from database(session). I think you easily accomplish rememberme cookies setting the expire of your sessions as high as you like, but not to high if you ask me.
Interesting read
This is also a pretty interesting read to improve session security: http://web.archive.org/web/20120417214604/http://segfaultlabs.com/files/pdf/php-session-security.pdf
It doesn't make much sense to create an identification token on the server, send it to the client and set there using Javascript compared to setting it at server-side in the first place.
More importantly, using Javascript makes it compatible with less clients, less robust, and less secure (as you cannot use HTTPOnly cookies).
Main problem is that when your site is used through not encrypted channel (regular HTTP, open WiFi network), everyone can get in possession of that cookie and gain an ability to login in behalf of your user.
There are few protection methods:
encoding browser/workstation-specific data in that cookie,
using HTTPS for everything,
using other storage (not cookies) - it is less possible that a script kiddie with Firesheep will try to capture localStorage data.
Also, as Gumbo mentioned (his comment is now gone and I have no idea, why), this applies for any session-based authentication. So, you PHP session has the same vulnerability (as it is still somehow cookie-based).
I have website w1 written in rails using auhtlogic for authentication and w2 in PHP(say), I want w2 to access session information stored by w2 and login user into w2 and also retrieve user_id from session.
By default, Rack (which Rails uses to manage its sessions) stores session information in cookies by marshalling the session hash (see here), which results in a string that is specific to Ruby. It would be extremely difficult to use PHP to deserialize this information.
If you're dead set on doing this, you're going to have to handle the session serialization yourself. I think a full solution is outside the scope of a single question on SO, but a few pointers:
It would be wise to store only a session id in the cookie, and then keep the actual session data in a database that would be accessible from both the PHP and Rails apps. If you really want to keep the session information in a cookie (or in another place like memcached, where you'd also have to serialize it), look into serialization strategies that work across languages, like MessagePack.
You'll want to do something to ensure that the cookie is not tampered with by the user. Rack uses HMAC, which is a good solution. I've never used PHP, but I'm sure they also have a library for it.
You probably already know this, but just in case: This is all assuming that your two apps are sharing the same domain name. If they're not, then your users' browsers won't share the cookie between the two apps, and there's not really anything you can do. For example, you could share sessions between railsapp.yourdomain.com and phpapp.yourdomain.com, but not railsapp.com and phpapp.com.
Good luck!
i tried a solution sometime ago that was more a hack, but for my propose it worked.
after login, i used to write the user's cookie in a file in a public directory and when this user tried to access the other server where he had to access too, my application on this second server, just had to "know how to access" the remote file stored in the first server and load this content as cookie. I did used CURL at that time.
Note that it introduce some security breaches, and probably your security will rely on "obscurity" - for example, the algorithm to mount the file name where the cookie is stored and how to access it and any external webserver configuration.. Said that, i think we could think as well use a shared memcached to store the cookies..
Have you considered using Open ID?