I need to make a script to authorize a user to browse a certain part of a site. That user has a software installed that make a url call. that's it. After that I know the user is authorized. How can I make my browser aware if the user has made or not that request? Is there a way? with cookies or http authentication?
Thank you
You know about sessions? You could e.g use a PHP Script. Writing all about sessions would be too much to explain here ... but try e.g. searching for php sessions.
You need to use sessions. Here is an example using sessions and MySQL to authenticate users: http://www.dreamincode.net/code/snippet1153.htm
PHP sestion is one of the solutions (The easy one) to authorise and identify the user.
Check this tutorial: http://www.tizag.com/phpT/phpsessions.php.
other option is HTTP authentication with PHP.
http://php.net/manual/en/features.http-auth.php
Related
I'm currently setting up PHP to use LDAP authentication, but looking to use cookies so that we don't have users logging in every time...
Does anyone have any suggestions on the best way to use cookies to authenticate with LDAP continually over a set period of time? (storing the password obviously being the main concern)
Thanks
I suggest using adLDAP http://adldap.sourceforge.net/
Store in your database a token (phpsessid) when the auth is made with a timeout.
On every page create a check_session function that verify the phpsessid if it's still valid.
I implemented this last week and it works like a charm.
Hope this helps.
Currently I am doing a project which runs both on Zend Framework (For Web site) and phone gap (For Mobile). I need to use the same code for website and web service for mobile.
Now I am facing the below mentioned issue,
The web service which I am calling from phone gap is to create the session and the session was created successfully. Now i am calling the another web service to get the user details based on session id. But the details are not displaying, because the session id is giving empty. So can you please suggest how can i proceed with this?
Thanks in advance
Session is not shareable. Try saving session id to database (or file) and than read it from server side.
Can you please give more information about how sessions are managed?
From the look of it, you might need to to use both $_SESSION and potentially an implementation of the SessionClassHandler interface to store sessions in a central database.
Also you might have issues with cookies, so you might need to pass the session id via URL. But this is very insecure so if this is the case, make sure that you at least use https or put oher mecanisms in place.
I hope this helps
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I have a django blog project and a chat in PHP.
I need to share the id of the user logged in django ( request.user.id ) with the chat in PHP.
Is this possible ?
I don't think using sessions in this way is a good idea, since they're designed to keep data temporarily for a certain user in an application. It might be a better idea to store the id in a cookie and read that in the chat, or pass a variable in the link.
You could use HTTP authentication for this. As long as both applications are on the same domain and the realm name (sent in the WWW-Authenticate header) is the same for both, once a use logs into one or the other application, the REMOTE_USER variable will be available to both and will contain the username of the person logged in.
See http://groups.google.com/group/django-users/msg/a492cb9394b0db4d for one answer
Say I have an ASP.NET webpage and I also have a PHP Blog/BBS/Website. I want all logins to be done via the ASP.NET webpage. The ASP.NET Session State is stored in SQL. Is there any way I can read/decode the Session State from PHP to tell if a user is logged on if I have the Session State cookie?
I don't think there's a supported way. You could reverse-engineer the store, but the database format may change with next .NET service pack and youe a'd be screwed then.
The only safe way would be to implement your own session state provider so you could guarantee that the database format doesn't change.
If all you need is to verify that the user is authenticated, it would be probably easier to send the user an encrypted cookie with the username and decrypt it in the PHP app.
I have never tried this but if you provided a simple web service that is part of your asp.net application but only accessable from your PHP site. You should now be able to read anything that is in session via the web serivce.
this is looks tricky, but try reading here. the issue here is know the way in what asp encodes and save the session, if you can read that format, this may help.
another way I'm thinking is to create a request to some "login" page form asp to php, where you send the login credentials and the php file creates the session, but this could be not secure if you leave it open, and also could be slow, since another request is necessary.
on the other hand I saw few sites, where once you are logged in, for example in the main site and you want to go to the forums, you click on some link that submit a form to the php login page (credentials are "harcoded" for that user in that session) and the php page login you like the "regular" behavior.
hope to be clear
Unless you specifically need full access to the entire asp.net session state, you may be better off just storing the particular pieces of information that you know both apps need to share in a shared database or file directly.
That way you can ignore most of the complexities of an asp.net session and just pick and choose the specific pieces data your apps need share with each other.