I have a question in mind.
Is this possible? I need to put the login page of our other site into an iframe. and when logged in you will see a graph.
What I need is when I click the hyperlink is it will show the page in the iframe but autofill and auto- logged in the account so that what they will see is not the login page but the graph inside it.
Is there a way to pass the username and password in the iframe and trigger the logged in button or auto logged in?
Can do this in PHP or jquery?
Regards to all and thanks in advance.
The only caveat in Treffynnon's answer is that it requires you to have access to both systems to create a sort of "login code" web service that the two can use to communicate. If you only have access to the first site (the one that you want to include the iframe on), what I would do is the following (please note that this is not as secure as Treffynnon's answer):
load the page without the iframe
using ajax, query your server (over SSL!) for the username and password that you'll need to submit to the other server.
dynamically create your iframe, populated with a form that is basically identical to the login form on the other server, submitting with the same "method" to the same "action" as the other form. Then dynamically submit it. This should set the appropriate login cookies on the client so that they are logged in. Make sure you use SSL everywhere.
dynamically redirect the iframe to the page that has the chart you want to see.
obliterate any javascript variables that held secure login information.
Potential issues:
Some login processes are extremely finicky, and may be impossible to log in with using this method.
You're dramatically increasing the number of attack vectors on your site. For example: step 2, querying the login credentials, assumes that your security is adequate to prevent people querying for data they shouldn't have access to.
All of this assumes that it would be OK for the end user to access the login credentials, say, they have one username and password that they use at both sites. If you have 1 site-wide login that you're using to give your end users access to something they wouldn't otherwise get, then this will expose your login details to all of your users and you shouldn't do it. In that case, your only option is to do something completely on the back end. If you have access to the code for both sites, use Treffynnon's suggestion, otherwise you'll have to access and download the chart on the back end and re-display it for your users.
Do not expose the password rather create a unique key you can send over with them to authenticate them on the page that will be displayed in the iframe. This assumes that both systems are aware of the user and the unique key.
When you setup the iframe you can set its source to include some URL parameters:
<iframe src="http://example.org/api?key=<?php echo $unique_key; ?>">
This will get you around cross domain issues that a javascript method of doing this would throw up.
The first what you can try, is sending the username and password with GET method in iframe. Like src=yourscript.php?user=me&pass=secret so you can try to auth the user on the other side.
Related
I have a few scripts all linked to the same SQL database, but each one has its own admin.php
I have created links to the other admin.php(s) in the one I would consider the main admin panel.
as it is the same user name and ID how can I get the links to fill and submit the login details so I only have to login on the first admin panel and not each time a click a link to a new one
any help appreciated
You probably want to store some kind of authentication information in session data. Each time you access a script, it will check the session variables for some kind of security token. If it's there, it can use that to determine who has logged-in.
At the top of each PHP script (before you've output any HTML), include a call to session_start(). This will enable session information. You can then read/write elements in the $_SESSION superglobal array.
If you want the browser to remember the login for subsequent visits, you could also use cookie data. Just be aware that cookies are not particularly secure, so don't store usernames and passwords in them directly. Use some a unique encrypted/hashed token instead.
So I have the example-google.php script working, after loging in it throws the default user string has logged in. But my question is how does this protect anything?
Lets say I have //127.0.0.1/example-google.php and I added a href to //127.0.0.1/abc.php after the login is successful.
Well what keeps someone from just typing 127.0.0.1/abc.php? granted I could use $_SESSION to verify that "someone" logged in. But is that going to be enough? Is there a way to re-verify that the user that is trying to access abc.php is truely logged in when thrown from the other page?
Generally, the idea is that you use the session store, indeed.
For example, in my site I have a OpenID login using Steam Community. When a user logs in, after the mode / validate checks etc. from the LightOpenID example, I save their unique identifier in the session store (in this case a SteamID, in your case an email address presumably), then can just use this freely for subsequent requests.
As the session store is server-side, a user cannot impersonate another one without gaining their session cookie (session hijacking is another topic that someone else can go into much more detail on, but I'll give it a shot if requested), but most attacks will be defeated by also storing and validating the requesting IP address.
I keep a couple of mysql tables (one for sessions and one for user information) and store session information in the session table and include a reference to the users table. When a user successfully logs in with their OID provider they are sent back to my site with the confirmation from the provider. I keep track of my user from then on via their session id.
I wipe the session if they choose to log out, but maintain the user info for comments/posts on the site to track who said what.
I actually put a link to "?login={service}" which sends the request to the OID provider and redirects back to that page and on return from the provider it takes the successful login and stores the appropriate information and redirects the user back to the original page where they clicked the "login" button for whichever {service}. You only display the "members only" content if they are verified via OID. You don't create a standard HTML page at abc.php without any sort of way to confirm ID and I think the header redirect is important because it cleans up the URL displayed in the address.
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.
I am needing help with single sign on. I have siteA.com that requires login credentials, once you are in SiteA.com you can do many things and one of them is access another application siteB.com. If you click on the option to go to this other application, the other application also has a login screen whose credentials are the same as siteA.com, so siteA.com and siteB.com have login screens of their own with the same credentials.
I am trying to make it a single sign on is there anyway I can remote login or pass credentials from siteA.com to siteB.com?
I am interested in:
Solved exactly same problem (actually also for 4 domains). The only solution I've came up with was, to include 3 hidden iframes on the 'Successful login page' and those iframes just load www.domain1.com/register_session.php, www.domain2.com/register_session.php, etc....
As a parameter for register_session.php I use 'sid' which contains session ID:
session_id($_GET['sid']);
session_start();
This is actually for keeping session alive on all those domains but the same would be for your case with cookies.
I think this could work but the problem is given the credentials, how can I make the script login to siteB.com?
I have done something which KIND of works...I copied the html of siteB.com and added that to hidden in siteA.com and at siteA.com made it do a double POST, one to siteA.com's login and another to siteB.com's login. This works only if the user has logged in to siteB.com lately, I think that logging in to siteB.com it sets a cookie to control access thats why doing the double POST allows you to fool the login system and as long as the correct credentials are provided it does a successful grab of login cookie, allowing you to login.
Store the user's information in a cookie( such as the user's id in the database ) then on the login page, look for that cookie. if it exists and is a valid user, go ahead and log them in.
When creating a cookie, you should be able to set it's domain to the domain of siteB.com so that siteB.com can see it. Simply create one cookie for each domain that needs to be able to read that cookie, and set acceptable expires settings on each cookie so that they either expire on session end or after x days.
Depending on how much security you need, you may need to put some kind of protection to prevent someone from simply creating their own cookie to get in freely (such as encryption)
I once had to tackle a similar problem. What I ended up doing was appending a hash to the URL query string of any link [or form] going from SiteA to SiteB, and visa versa. I used an MD5 hash of the user ID in the database for the value. On both sites, if that hash is present in $_GET, log the user in using a search for "MD5(user_id) = ?" instead of searching by username and password.
Edit: Note, this isn't a very secure solution - it just happened to be perfect for what I was trying to achieve. Please do keep security in mind. In my post above, an attacker could potentially determine that the token is an MD5 hash of an integer and start tinkering with it.
I've searched on this and I'm still not sure. In asp.net, I can programmatically login a user on the server side...and I'm not talking about a client-side script that fills in the forms automatically when they pull up the site. I can check something server-side and, if true, log them into the site. If false I can redirect to a user name/password form and make them type in the user name and password.
Is it possible to do something similar in PHP?
I have something I would like to do, but it sure would be nice not to waste time on something if it isn't even possible to begin with
Thanks!
-=-=-=
In asp.net the process works like this:
call uservalidate method to see if the credentials are correct
call formsauthentication.setauthcookie to set the authentication cookie
redirect user to predetermined page
e.g.,
Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
FormsAuthentication.SetAuthCookie("username", false);
Response.Redirect("samepage.aspx");
Only on the redirect does the ticket get processed.
Sure it can - you need to read up on PHP Sessions.
You accept the user's credentials via a standard POST request sent from a form.
Take the credentials and check if they match (usually by querying a DB).
If they do, set a session variable to indicate the user has authenticated ($_SESSION['user_is_authenticated'] = true);
Check in your subsequent pages that needs to be secured if the user is authenticated or not - if he's not, redirect to login page: if (!$_SESSION['user_is_authenticated']) header('location:login.php');
I don't know ASP, but you'd simply just set the session in PHP. For example, if your login scripts looks for a user object in the session, you'd just load that user from your datasource and load it into the session. You'd also need to set whatever other flags you might be checking.
This is a common requirement when you want to give admins the ability to login as a user in your site.