I'm not sure if this is even possible, but I figured this was a great place to ask the question.
I'm using http://simpletest.org/en/browser_documentation.html PHP WebBrowser to test a wordpress site. What I'm doing is setting the login credentials to access the wordpress backend. I run a couple of test, but my question is in certain situations I want to transfer the session that the "SimpleTest PHP Web Browser" has running to client's browser. Aka... my browser.
So in a since I"m transferring the session from the server side test browser to a normal client browser. This "client browser" is the same browser that is literally running the SimpleTest script to begin with.
I'm wondering if I can transfer the header & cookies associated with the "SimpleTest PHP Web Browser" to my browser. What I'm thinking is to pull the data out using the SimpleTest PHP Library and then set that information to the client browser using Javascript.
Is this even possible? I feel like I'm missing some basic understanding of server side session authentication which would make this impossible.
Any ideas? I'm really curious!
Did you look at the Authentication documentation for SimpleTest?
Related
Is it possible to read the cookies that are sent by a third-party homepage using php?
In concrete, i want to find out if a page using GTM does also set .ga cookies.
I was thinking of a "virtual browser" solution on the server, is that possible / is anybody experienced with that?
Thanks!
No, because PHP runs on the server and gets only the cookies of that domain
Cookies are stored on the client (browser). PHP is executed on the other side. The cookies are stored in the browser and the browser sends the cookie values along with the HTTP request to the server.
Therefore, the PHP process only gets to see the cookies of that domain.
And if you think of it, everything else would be a security flaw because every site could read for example secrets of sessions that are open on another site!
Not sure this is possible but...
What I would like to do is to use ASP.NET impersonation to authenticate a Flash app as a user in IIS so that the file dependencies related to the flash file ( XML config files, and PHP API calls ) are not anonymously accessible when users try to access them directly through the URL. So, instead of displaying the contents of an XML config file, it should tell the unauthenticated user they do not have permission to view the file.
Is this possible? Right now I'm looking into request headers and the settings in IIS for authentication.
So I found out how to use Basic Authentication through help posted here. The problem I'm running into is that even though the flash app sends the appropriate request. Which is handled fine in FF, Chrome, and Safari. It still displays the login pop-up box for Opera and IE. Does anyone know why IE and Opera behave differently with Basic Authentication?
Any help on this would be greatly appreciated.
use ASP.NET impersonation to authenticate a Flash app as a user in IIS
Assuming I understood your post correctly:
If your intent is to protect some file from unauthorized access, you should check if the solutions provided actually do so. Flash is a client side plug-in, and therefore its communication with the server (side) can be inspected using readily available tools (Safari/Chrome/IE developer tools, Firebug, etc). So if Flash is a "user" and you hard-code its authentication, it would be trivial to inspect that (http) request and "see" the data being passed....
On the other hand, if you are saying you want to incorporate a user login (each user will have to provide credentials) and then have that communicate with your server side authentication scheme then it would be fine (just like any other browser based login scheme).
I'm developing a FLEX application which has a Java Server as back-end.
What I need:
-The FLEX app can only be used if the user it's logged;
-The FLEX app also needs to know which user it's logged, because it will shows especific content about him;
-I need to perform authentication on every webservice call;
However, the webpages are being developed using PHP, as well the login system.
After some digging, I've discovered that I can use the PHP session ID for authenticate every webservice calls, by using the php-java-bridge so both PHP and Java can share the same session.
My problem it's that I don't know how the FLEX app can get the current PHP session ID. I know that it's possible to pass it by flashvars, but I think it's not secure.
If someone has other solution, even not using the PHP session id, I'd really appreciate it.
Thanks in advance.
I see no benefit for Flex to access the PHP Session ID directly; are you sure that's what you need?
The SWF files that Flex creates are intended as client side software. Whereas PHP and Java are usually used as server side software. Try not to treat your Flex app as if it were a server side program.
The way most web applications handle sessions is that the server sets some cookie on the client. The browser automatically passes that cookie with every request; and the server uses that cookie value to sync the request up with a server side session.I know ColdFusion and Java work like this and I assume PHP uses a similar mechanism.
Every time that your SWF (AKA Flex App) makes a request to the remote server, the request will include all cookies set by the server, just like it is a normal browser request. The server should automatically sync the Flex request to a server side session.
Does that help?
you can have a php page that will be called by flex using httpService, return the $_SESSION['userName'] or your session variable. if returned empty. stop the loading of the program. hope it make sense. coz i did the same thing..
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.
I have a client running an ASP.NET application. Inside of that, there's a self-contained PHP wiki. The problem is that the wiki won't use the .NET authentication, so requests directly to http://foobar/path/wiki/ will resolve without forcing a login.
My simple solution for this is to run the PHP application in an iFrame from an .aspx file that will force authentication, and then use PHP to detect if the page is loaded outside of a frame and redirect if so.
I know this can be done with JavaScript quite easily, but I would prefer to do this test server-side before the Wiki content loads. I need help figuring out a way that this can be done. Referrer comparison perhaps?
Any suggestions?
Thanks!
There is no way to tell on the server-side if a client's browser is loading a page within a frame, tab, or dedicated window.
What you can do is have your .NET application set a cookie after authenticating that the PHP application will read. If the cookie doesn't exist then do a redirect to the authentication page.
Even with JavaScript this is not secure. One could simply request the Wiki pages and ignore the JavaScript. For example, I could use WGET to pull down all your content without ever authenticating.
If security is important, I would highly recommend figuring out a way to make the PHP app aware of the authentication.
The simplest approach, if this is all on one server, would be to have the .NET application store some sort of token after authenticating, somewhere PHP can access it. Then set a cookie that the PHP wiki will receive and check that value is a valid session for each request.