I have a loginform where users can login with two different accounts - one is a SolarisLDAP account and the other is an Active Directory account.
When the user tries to log in I want to find out which account he uses (which is not the problem).
If he's using the SolarisLDAP account, the authentication is done in PHP.
But if it is an AD account it must be passed to Apache (because I have to use the mod_auth_kerb to authenticate against our AD).
I wonder if this is possible in any way. Could I just set $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], or $_SERVER['REMOTE_USER'], and that's it?
Or would it be a possibility to kinda do it via the headers or a redirect?
Hope you understand what I'm trying to do..
Cheers
I wonder if this is possible in any way.
Unfortunately - no.
Also note that passing whatever variables from PHP to Apache makes no sense in that context.
It is not PHP but browser you want to authenticate with Apache, and, obviously, you have no control of.
This depends on which environment variables apache does set for the request. Do a
var_dump($_SERVER);
to get a list of all available ones. Go through that list and find out which ones are related to the authentication. It's probably something non-standard, this is a general list: http://php.net/_SERVER, compare it with your var_dump output.
Also this might depend on which Server-API (SAPI) you're using with PHPDocs.
Related
I've read multiple comments about encrypting PHP session data, in case it is stored in a temp directory that is available on multiple accounts on a shared server. However, even if the data is encrypted, session_start() still generates filenames containing the session_id. For example,
sess_uivrkk2c5ksnv2hnt5rc8tvgi5
, where uivrkk2c5ksnv2hnt5rc8tvgi5 is the same session id I found in the cookie my browser received.
How is this problem typically addressed / could someone point me to an example? All of the simple examples I've found only address encrypting the data, not changing the filename.
Just to see what would happen, I made a SessionHandler wrapper that would do an MD5 hash on the $session_id variable before passing it on to its parent function, but that did not work. Instead, I ended up with two files: a blank one (with session_id as a part of its name) and a full one (with an MD5'ed session_id). Also, there was the problem of close() not accepting session_id as a parameter, so I couldn't pass it on to its parent.
EDIT: I 'm learning about php sessions, this isn't for a live commercial site, etc.
Yes, in some scenarios (i.e. a very incompetently configured server - although these do unfortunately exist) on a shared server your session data may be readable by other people. Trying to hide the session files by changing their names serves no useful purpose - this is described as "Security through Obscurity". Go and Google the phrase - it is usually described as an oxymoron.
If your question is how do you prevent other customers accessing your session data on a badly configured server then the sensible choices (in order of priority) are:
switch service provider
use a custom session handler to store the data somewhere secure (e.g. database) There are lots of examples on the web - quality varies
use a custom session handler to encrypt the data and use file storage. Again you don't need to write the code yourself - just scrutinize any candidates
If you want to find out if your provider might be a culprit - just have a look at the value of FILE. Does it look as if you have access to the root filesystem? Write a script which tries to read from outside your home directory. If you can't then the provider may have set an open_basedir restriction (it is possible to get around this - again Google will tell you how).
I run a website which can be reached through different domains: domainname.de, domainname.ch, domainname.at, domainname.es etc. ...
When my customer wants to pay we gets to a payment page which is of course https secured. Due to server limitations I am only allowed to have one SSL Certificate which I only put on one domain: domainname-secure.com.
Because I charge different prices I need to know which domain the user belongs to, so when redirecting to domainname-secure.com I save the domain (e.g. domainname.de) in the session variable $_SESSION['domain_default'] and pass the sessionID by adding session_id=[session_id] as a get parameter.
Then I check I take $_GET['session_id'] and run the follow command to have the session available on the domainname-secure.com:
session_id($_GET['session_id']);
session_start();
When I test it myself, it works perfectly fine but I make a log entry when somebody gets to domainname-secure.com and has not have set $_SESSION['domain_default'].
This occurs several times a day but I really have no clue why this does not work! I am testing it again and again from many different links but for me it works perfectly fine.
Can some of you imagine why it sometimes does not work?
Is it not "good" or insecure to pass the session ID to another domain and is it not always readable after redirecting?
I know it is hard for you to determain a mistake but I am searching for some know issues with session or maybe a tip how to do it in a better way?
Session are administered by PHP on a per domain basis meaning they don't mix domains intentionally.
If you would be using another session storage mechanism such as writing into the database or using memcached sessions you'd be able to overcome this limitation.
There are two approaches if you want to be able to access the session info when changing domains either:
Don't use PHP's $_SESSION, setup your own session management with memcached/redis/sql;
Or:
Use PHP's $_SESSION, but when transferring from one domain to another serialize the data in $_SESSION and put it somewhere accessible from both domains like sql;
i have a php file named admin.php. It can be accessed by only X.But when i write the url like localhost/full/admin.php it can be viewed.it means if anyone knows the url he can access it.how can i provide security to this file thus it will be accessed.i am just using mysql and run it using localhost
you should look at the user & session management that php provides you. Look at it here. You can define users and its passwords, and authenticate them. This is the simplest method. Good luck
ACL will be more beneficial in the long run.
you could use something like:
if(strpos($_SERVER['HTTP_REFERER'], "https://mysite/a-page-that-sent-u-here") == true)
and then only allow access from a referrer page.
Or set a Session on one page, or even only allow it from your IP:
$_SERVER['REMOTE_ADDR']
Lots of ways
How to detect anonymous user like facebook does, when you open it throught proxy websites like hidemyass.com. I think its something related to proxy, but beyond I dont know anything about it, but I want to create that.
Most common way to detect proxy servers is by looking if these http headers fields are empty (if not, a proxy is used to access you're webserver):
HTTP_FORWARDED
HTTP:X-Forwarded
HTTP:Forwarded-For
HTTP:X-Forwarded-For
In PHP you can read these values with the getenv() function.
It is hard to say who is trying to hide his identity and who has limited/restricted access based on firewall rules etc. You can also check if user accept COOKIES by sending special token on first request and fetching on second.
by default, using sfDGP, when i try to execute an action of an application with security activated, the signin form appears but the URL doesn't change to "frontend_dev.php/login".
So, what should I do the URL to "frontend_dev.php/login" ?
Regards
Javi
Its been awhile since i dipped that deep, but if i recal correctly the security fowarding in Symfony uses an internal foward so that the server doesnt have to handle an entirely new request. When you use an internal forward like this the URL will not change, because as far as the client is concerned you are still at the same URL you initially requested.
You would need to create your own Security filter to replace the default sfBasicSecurityFilter i believe, and then you would also probably need to modify any instances in actions or elsewhere that use forward in response to invalid/non-existent credentials.
I dont think there is an easy way to do this, and honestly its not advisable if you do. There are probably other solutions to what you need to acheive... Why do you need the URL to change?
If you're already on frontend_dev.php/ before you attempt to login, this should happen normally as part of default behaviour --- unless you've been changing settings somewhere. You can always replace the URL manually once you've signed in by adding /frontend_dev.php/. It will work as you're authenticated on the machine anyway.