I have the following code:
$homepage = file_get_contents("https://example.com/specific_page");
echo $homepage;
The browser already has a session of the site that I need access to, so if I open the url in new tab, the page will be properly loaded.
The issue is that the php script, redirects me to "You are not logged in" page. Note that the url is available even after I restart the browser.
Any ideas how to get content without writing a code that logs in to the site?
PHP runs serversided so it has its own session handling, there is no link to your browsers session. You can use cURL and options like CURLOPT_COOKIEJAR to do this. With cURL you can login via PHP and keep the PHP session of the website you are requesting. You will find a bunch of examples in the cURL documentation I linked.
It would be an enormous security issue if a website could gain access to your data on arbitrary external websites. Imagine this: file_get_contents('https://yourbank.com/all-your-details').
The only way you can do this is to ask the user for his/her login credentials on the external website and log in manually. This will be unreliable, though, since the authentication process could change (and it's terribly rude to ask someone for his/her password).
This is generally what web service APIs are used for, but if there's none available for the site you're interested in, you're kind of stuck.
If you already know the login credentials for the website, then you could hardcode them into the script using the approach outlined by Blauesocke, but this won't work if the details are unique to the current user.
Related
Since PHP sessions are basically cookies, and I am using them to authenticate logged in users (I know, I should move to tokens), is it possible to read the session cookie on my node app? (I want to create a simple chat that gets the logged in username from the PHP session, and on the way allow only logged in users to use the chat)
What would then be the preferred way to do that? (In terms of security as well)
**Edit: I am trying to get something sort of the node equivalent of this in PHP:
if(!isset($_SESSION['user_id']){
//don't allow access to the chat page
} else {
//show chat for logged user
}
A cookie is not language specific so if the cookie is there, you could certainly read it with node.js.
BUT, the browser only sends cookies to the server that they are associated with. So, if your PHP server is not part of the same sub-domain as the node.js server and the cookies are configured to allow sharing with sub-domains, then the browser won't send the PHP cookie to your node.js server.
To read cookies with Express, you can use the cookie-parser module. Samples for how to use it are in the doc. After installing the cookie-parser middleware, you would end up referencing:
req.cookie
to access that same cookie. To manage sessions using Express and node.js and keep track of server-side session state, one would typically use the express-session module.
I have created an extension for my website. It should log in user to forum after he has logged in to the website.
User session was created successfully (checked in database), but user still not logged in.
If I try to log in with external login form, it works great (the session is created and user is logged in).
I think the problem is not in my authentication extension.
I think I did something wrong with curl post and cookie.
What curl options should I set to login? Or maybe you can give me some useful links?
Take some of those phpbb3_* cookies and then send them through
[setcookie()](php.net/setcookie) to pass along to the user. It
might work, depending on your level of cookie security in phpBB (it
can't be tied to IP because curl and the user IP will be different
drew010
You won't be able to use curl and pass the cookies to the client if you >have Session IP validation turned on. I'd suggest turning that off, or, >instead of using curl, look for a plugin/module that can do 3rd party >logins, or look at the authentication handling code and replicate it. It >wouldn't take much to log a user in without requiring their phpBB password
drew010
So I noticed with SharePoint sites if you are using IE, it automatically sends your AD username/pass to the server. Now I'm being asked if the same can be done with the other internal websites. The other websites are written in php and I don't have access to the server settings, just to the php scripts. I did find a way to authenticate against AD from php scripts once the username and password gets submitted to the scripts. So I'm like halfway there once the script knows what user/pass, the user wants to use it can check if it's valid. but what I still need to know is how to tell IE that this page needs to know the user/pass they are logged in as like the SharePoint site pages can.
When the Facebook session expires with my App, I have to use the Javascript SDK to create a new session. This is hugely annoying as it appears to the user that they are logged out occasionally as I do most of the detection server side. And then, when they reload the page and the javascript has executed, the session is recreated.
I am aware that I can fix this quite simply by using javascript to show a message saying 'please reload the page' (much like StackOverflow), however, I do not want my users to have to do this. I accept that the PHP SDK cannot do it, but is there any sort of hack I can do to achieve it myself using PHP instead of Javascript?
Can anyone explain why the PHP cannot do this?
PHP is running on your server, which has nothing to do with Facebook's servers. Remember that cookies are locked to the originating domain. The cookie will appear to have been set by YOUR server, and have an originating domain of "yoursite.com", not "facebook.com".
JS, on the other hand, runs on the client, and any requests made to Facebook's servers will also obey any cookies set by the Facebook servers.
For my application I need to know if a Facebook Connect session is valid from the server side.
The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library.
The scenario where I need it is similar to the following:
Log in to The Run Around using Facebook connect.
Open Facebook in another tab.
Log out from the Facebook tab (not The Run Around).
Go back to the Run Around tab.
Enter a new entry, but deactivate the "Publish this run to Facebook" checkbox.
After submitting the form your run will get published though you logged out before! After that call, the site will log you out because the Javascript API will try to validate your status.
In the 5th step, the application should check with Facebook if the session has expired or not (or use a workaround). The Connect implementation of The Run Around is flawed and shouldn't be used as an example because of this security issue.
While I understand your analysis of the situation, this is actually the correct behaviour.
The Run Around is a Facebook Connect site, which means that it is completely separate from Facebook, as it should be. When you use FB Connect to link your FB account to the Run Around site, it establishes a local session and account for you in the Run Around database. This is technically what you are logged in to The Run Around with. Once this happens, your Facebook session is entirely irrelevant unless The Run Around wants to retrieve information about you from Facebook.
There are options to provide a FB Connect site with closer linkage to Facebook if you want to. See Detecting Connect Status and the FB.init() parameters for more on this. The Run Around has utilized this to force a logout of the local session once it detects that you are no longer logged in to Facebook. However, this only occurs once a page change or action happens and the Javascript runs to verify your FB session status.
The overall effect of how this all works is that Facebook Connect sites retain the ability to manage users locally, and only utilize Facebook features when needed and/or possible.
A friend told me the way to know if a session is valid or not:
http://wiki.developers.facebook.com/index.php/Users.getLoggedInUser
This method uses the session key as a parameter and returns the user id. If the session has expired, an error code is returned.
NOTE:
I won't use this in my application, as Zombat said, my app should keep its own session. I'll do what Digg does: be consistent with the log in and log out procedure by not automatically logging in and out when someone logs on Facebook.
The Run Around tries to do everything automatically, but that is problematic, specially because the app doesn't check the session from the server side.