I wrote my own long-pollig Tornado/AJAX chat with rooms , whisper messages and other cool stuff . Till now as user authentication for just test purposes i've been using cookies . So u had to just enter your name ,after what cokie 'user' was created and chat would react accordingly to that cookie . But the problem is that i wrote this chat for a friend which has a php site. So basically i need to authenticate users based on his sessions. Thats where i got confused. And i am very ashamed , because i caught myself on a thought that i don't know how exactly session work , which is kind of absurd, because i don't consider myself such a bad programmer ^^ Well shit happens. Well ofcourse i know that sessions only store id on the client and other information is stored on the server , but that doesn't really help because i need know excatly what happens in details . Sure i googled a bit , but still am confused how to solve this problem. So the basic questions are :
1) Would appreciate if someone could in details explain one more time exactly how sessions work , and what i need know or have access to on php site , to use sessions in another application ...
*2)*So for example when i authenticate on my django site ,session is created with some value like 's5ds6dssd6' , and to tell the truth i don't know what to further do with it.Ashamed again. For example in PHP to extract username (if it was set) and check/do something i would do something like PHP_SESSION['username'] === ... .In django even less work just to use decorator or user.is_authenticated method. Yet how works inside and what i need i don't know.
There is a big chance what i wrote is stupid , and it's very easy , and i am a moron , which wrote before trying ...Yet even if i somehow would be able to get data from sessions/php site how could i be sure that some guy didn't create session with random id by himself , without authencating on php site ....
Well hope someone could point me in right direction . It felt necessary to write so much so you could udnerstand =) what bothers me and respond accordingly.... Sorry if i wrote something stupid.
1) Would appreciate if someone could
in details explain one more time
exactly how sessions work , and what i
need know or have access to on php
site , to use sessions in another
application ...
P.S: I am using Linux(I use the freely available Ubuntu which is the most popular/user-friendly Linux distro) as OS below and I would advice you to use a *nx distro(MacOSX is also pretty good but expensive in my opinion) as well with all your webdevelopment although all these commands are also available in Cygwin(windows).
Sessions are:
Session support in PHP consists of a
way to preserve certain data across
subsequent accesses. This enables you
to build more customized applications
and increase the appeal of your web
site.
Below I try to explain what sessions are and how they are using cookies
I created a simple no.php which does not use sessions and simply outputs Hello World:
Hello World
When we curl this script with the headers using -v we get the following output:
alfred#alfred-laptop:~/www/6500588$ curl http://localhost/6500588/no.php -v
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/no.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:10:53 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Vary: Accept-Encoding
< Content-Length: 12
< Content-Type: text/html
<
Hello World
* Connection #0 to host localhost left intact
* Closing connection #0
As you can see from the output no cookie has been set. If you do this repeatedly you will get the same output.
Next I create a simple yes.php file which does make use of sessions.
<?php
session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}
echo $_SESSION['count']++;
Let's show the output from curl without storing the cookie:
alfred#alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:12:47 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Set-Cookie: PHPSESSID=hrduhht116e9mikhkkj0gu7126; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
As you can see the count is 0, but also a cookie has been set: Set-Cookie: PHPSESSID=hrduhht116e9mikhkkj0gu7126; path=/. with session_id hrduhht116e9mikhkkj0gu7126
If we do not store this cookie when we issue the same curl command again we wil still receive 0 as answer(forget to count) and also receive another cookie.
alfred#alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:16:42 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Set-Cookie: PHPSESSID=ihlj9c9fifl8f0lklu0umesas2; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
As you can see hrduhht116e9mikhkkj0gu7126 is not equal to ihlj9c9fifl8f0lklu0umesas2 which means a new cookie has been set and the information in that session is lost.
Next we store the cookie to cookie file issuing -c flag
alfred#alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v -c cookie
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:27:11 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie PHPSESSID="1h6710hhk84e0k9bj2kg7p03u5" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=1h6710hhk84e0k9bj2kg7p03u5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
As you can see from ls(directory listing) we stored cookie to file named cookie.
alfred#alfred-laptop:~/www/6500588$ ls -al
total 20
drwxr-xr-x 2 alfred alfred 4096 2011-06-28 04:27 .
drwxr-xr-x 19 alfred alfred 4096 2011-06-28 03:59 ..
-rw-r--r-- 1 alfred alfred 196 2011-06-28 04:27 cookie
-rw-r--r-- 1 alfred alfred 12 2011-06-28 04:00 no.php
-rw-r--r-- 1 alfred alfred 114 2011-06-28 04:12 yes.php
That cookie to keep track of the count contains the following information according to cat(shows output of file)
alfred#alfred-laptop:~/www/6500588$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
localhost FALSE / FALSE 0 PHPSESSID 1h6710hhk84e0k9bj2kg7p03u5
We next use that cookie to keep track of the count.
alfred#alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v -b cookie
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: PHPSESSID=1h6710hhk84e0k9bj2kg7p03u5
>
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:40:18 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
1
As you can see we used that cookie with the same ID 1h6710hhk84e0k9bj2kg7p03u5 and the count is 1 instead of 0 when we don't use any cookie(or not store cookie and get new cookie).
So basically i need to authenticate
users based on his sessions.
sessions are just simple using cookies(sessionid) under the cover. You could for example override the standard implementation for sessions to use the database instead of the filesystem(interesting read!). But I would just use the session_id you receive from PHP(session_id) within your tornado application to authenticate your session because that should be unique(hard to guess).
session_id() returns the session id
for the current session or the empty
string ("") if there is no current
session (no current session id
exists).
P.S: I hope this answers your question a little bit. If not you could ask in the comments for a little bit more information?
Related
I've been trying to send a post request to this login page https://njit2.mrooms.net/auth/saml2/login.php but it doesn't successfully log me in even though the credentials are correct.
here is the full command I'm using in my terminal:
curl --data "j_username=user&j_password=pass&_eventId_proceed=" https://njit2.mrooms.net/auth/saml2/login.php
If you can spot anything that I'm not getting then it'll be much appreciated. Thanks.
edit: with -v flag this is what I get in the beginning of the response:
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 34.192.104.23...
* Connected to njit2.mrooms.net (34.192.104.23) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.mrooms.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.mrooms.net
* start date: Thu, 30 Nov 2017 00:00:00 GMT
* expire date: Thu, 17 Jan 2019 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
* compression: NULL
* ALPN, server did not agree to a protocol
> POST /auth/saml2/login.php HTTP/1.1
> Host: njit2.mrooms.net
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 54
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 54 out of 54 bytes
< HTTP/1.1 200 OK
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: text/html; charset=utf-8
< Date: Mon, 17 Sep 2018 05:54:50 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Server: Apache
< Set-Cookie: MoodleSession=fe6dc1b41104b83d391d8700d60f9308; path=/
< Set-Cookie: MDL_SSP_SessID=402ef69749885fa74956365b087e5747; path=/; HttpOnly
< Vary: Accept-Encoding
< X-Powered-By: PHP/7.1.15-1+ubuntu14.04.1+deb.sury.org+2
< transfer-encoding: chunked
< Connection: keep-alive
While testing my server-side php functions to create device groups i lost track of the notification key returned as a result of successfully creating a device group.
As described in https://groups.google.com/forum/#!topic/firebase-talk/ytovugx8XNs i tried
curl -v -H Content-Type:application/json -H Authorization:key=<your api key>
-H project_id:<your project id>
https://android.googleapis.com/gcm/notification?notification_key_name=testgroup
where the project id is the one found in firebase console, the same shown in the url and the very same present even in my google-services.json
As a result i get
HTTP/1.1 400 Bad Request Content-Type: application/json;
charset=UTF-8 Date: Tue, 18 Apr 2017 08:21:30 GMT Expires: Tue, 18
Apr 2017 08:21:30 GMT Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: quic=":443";
ma=2592000; v="37,36,35" Accept-Ranges: none Vary: Accept-Encoding
Transfer-Encoding: chunked
* Curl_http_done: called premature == 0
* Connection #0 to host android.googleapis.com left intact {"error":"INVALID_PROJECT_ID"}
I can't find a way out of this, since after losing a notification key the only way to recover it is with that command (afaik) . Please help.
The Project ID that should be used for FCM is the Sender ID. This value can be seen in the Firebase Console > Settings > Cloud Messaging Tab.
If you refer to the google-services.json file, the value for project_number should be the one you use (same value as seen from the Firebase Console). It's a numerical-only value.
How can I avoid, that PHP (or apache) automatically adds a charset=utf-8 to the Content-type eader when sending the content type?
(Reason is that this is causing issues with Internet Explorer)
orange public$ cat test.php
<?php
header('Content-Type: text/xml');
orange public$ curl -v example.com.orange.me.local/test.php
#* Trying 10.0.0.1...
* Connected to example.com.orange.me.local (10.0.0.1) port 80 (#0)
> GET /test.php HTTP/1.1
> Host: example.com.orange.imi.local
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 01 Jun 2016 16:24:49 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Content-Length: 0
< Content-Type: text/xml;charset=UTF-8
<
* Connection #0 to host example.com.orange.me.local left intact
I was able to remove the charset using
ini_set('default_charset', '');
in my script and
AddDefaultCharset off
in my .htaccess
I want to grab the URL of the artwork associated with a Soundcloud track with plain PHP without using their API. The HTML page has an og:image meta tag property which fits perfectly for my needs.
For example, the meta property of track https://soundcloud.com/dengue/sets/nuevos-sonidos looks like that:
<meta property="og:image" content="https://i1.sndcdn.com/artworks-000077991135-u5nvu1-t500x500.jpg">
The problem is that the HTTP request returns an 301 Moved Permanently code and so the use of DOMDocument class loadHTMLFile function gives an error.
If you really don't want to use their API (which seems like a bad call, because you don't need to do ANY auth; it's completely open), you can do some easy hacks.
I'm not getting any redirects from cURL
~ $ curl -v https://soundcloud.com/dengue/sets/nuevos-sonidos
* Trying 68.232.44.127...
* Connected to soundcloud.com (68.232.44.127) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.soundcloud.com
* Server certificate: GlobalSign Domain Validation CA - SHA256 - G2
* Server certificate: GlobalSign Root CA
> GET /dengue/sets/nuevos-sonidos HTTP/1.1
> Host: soundcloud.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: private, max-age=0
< Content-Type: text/html
< Date: Sat, 07 May 2016 03:42:20 GMT
< Server: am/2
< Set-Cookie: sc_anonymous_id=363279-961735-991413-425081; path=/; expires=Tue, 05 May 2026 03:42:20 GMT; domain=.soundcloud.com
< Via: sssr
< X-Frame-Options: SAMEORIGIN
< Content-Length: 47003
<
But if you are, you just have to add this option before you make the cURL from PHP:
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
If you're seriously into the hacking business, why don't you just do this:
<?php
$url = `curl -L https://soundcloud.com/dengue/sets/nuevos-sonidos 2>/dev/null | grep 'og:image' | sed 's/.*og:image" content="\\([^"]*\\).*/\\1/'`;
echo $url;
Which does this
~/Code/stack-overflow $ php hack.php
https://i1.sndcdn.com/artworks-000077991135-u5nvu1-t500x500.jpg
I am trying to check whether my requests are using TLS version >1. While curl command line gives me this information in the verbose output, php does not seem to be.
This is my PHP curl verbose output when the connection is initiated
* About to connect() to *** port 443 (#0)
* Trying 88.*.*.*... * connected
* Connected to *** (88.*.*.*) port 443 (#0)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: ***
* start date: Dec 21 18:43:21 2015 GMT
* expire date: Dec 21 18:38:18 2016 GMT
* common name: ***
* issuer: CN=Verizon Akamai SureServer CA G14-SHA2,OU=Cybertrust,O=Verizon Enterprise Solutions,L=Amsterdam,C=NL
* Server auth using Basic with user '***'
> GET /my/path HTTP/1.1
Authorization: ***
Host: ***
Accept: */*
< HTTP/1.1 200 OK
< Server: ***
< Content-Type: application/json;charset=utf-8
< Content-Length: 3733
< Expires: Wed, 03 Feb 2016 15:24:49 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Wed, 03 Feb 2016 15:24:49 GMT
< Connection: keep-alive
<
* Connection #0 to host *** left intact
* Closing connection #0
How can I say what is the TLS used in a connection? I would like to avoid using any 3rd party options like making request to https://www.howsmyssl.com/a/check