I had a scenario and want opinion by you people.
I have different web applications developed in Django, Rails, PHP , I want all of them to share the same session data every time. Means if a use is logged in to a PHP app, it can automatically be logged in to Rails app and vise versa.
I know its some kind of Central Authentication Server. Some of these are cas, josso.
What do you people have opinion for it. I want the behavior like Google Apps, when i am logged into Gmail, i can automatically logged into GoogleDocs as well.
Please share your thoughts, that how to implement this scenario?
Google runs entirely off the .google.com domain, which is why they have absolutely no problem using a single cookie to identify you across applications. If your applications all run on the same domain, I'd say go ahead and write a custom implementation to authorize users with a shared session cookie.
However, in the more likely event that this is not the case, you're better off implementing one of the more popular and wide-spread SSO methodologies like OAuth or OpenID seperately in your applications and either giving your users a centralized application at which to authenticate, or let them authenticate via external providers (like Facebook or Google, which supports authenticating via OpenID)
You can run your own OAuth or OpenID endpoint at which your users register and then auth via this endpoint on any of your applications.
In PHP, you can use session_set_save_handler to specify how the session is persistent and restored. I guess Django and Ruby On Rails provide similar means
just store the sessions in the db ore handle them yourself completely
the best approach would be to create a special table for this
watch out as php want to store this data sialized so unserialize before storing in the appropiate field as serialized data is too hard to handle
in php you have
$_SESSION
and session_set_save_handler()
but i think it is better for you to make it yourself
make sure all sites use a single cookie domain(ajax onload(to try getting this coockie), or keep the same domain)
In my apps I use SESSION to store a value of logged in user. For example $_SESSION['site1']['bakcend']['loggedin']=1; Than put a session check on other places. They of course are all under same domain.tld If you use above example $_SESSION['site1']['bakcend']['loggedin']=1; you will need a lot of checks if you have many sections. But this is only an opinion, there is a place for much more flexibility.
You can use cookies too.
Related
There is any way to check the login status through different programming language?
Right now I'm using three session (same name) that starts at the same time after the login process, using ajax.
Right now, the login.html form is processed on three files: login.aspx, login.asp and login.php but it's seems too slow and weird. I'm combining three different services from the same company into one, after re-building the users and others common tables in mysql, everything seems to work fine, but I'm really scared about security bugs.
Just to let you you know, I have to check the login session status before any ajax callback, so if the user is working on an ASP page calling PHP through Ajax, may be that the session is still active on the ASP, but expired on the php file.
Any valid method to check all in one time? I can also accept a cookie solution but how to make it readable between php, asp and .net?
This sounds like single sign-on to me. Let's try to split the problem.
There is any way to check the login status through different programming language?
You're not really interested in the language used. Any language, given the same info and algorithm, would decode with success the same encrypted data. I guess you're instead having problems because PHP's application logic regarding this point is different from the ASP's one.
So for the first point, you can
Implement / normalize the same session checking logic among all of your apps. This is probably unfeasible, because you might be using Laravel here, and ASP.Net on the other, and the two are probably slightly different in this regard. If you can, do this, or...
Look into JSON Web Tokens. I won't go into detail, but these were more or less designed to solve this class of problems. They are also easy to handle, but be aware, there are aspects you have to take care of when using them for user authentication.
[...] Just to let you you know, I have to check the login session status before any ajax callback, so if the user is working on an ASP page calling PHP through Ajax, may be that the session is still active on the ASP, but expired on the php file.
Not to be that guy, but some concepts are somewhat deformed here. Sessions don't expire on files; they normally are setup with a given expiration time and a given domain. So generally speaking, a session opened from a PHP app, and stored on a cookie, then read from an ASP one shouldn't change, given that no difference exists between the two app's session handling logic.
Any valid method to check all in one time? I can also accept a cookie solution but how to make it readable between php, asp and .net?
For both of the solutions i suggested above is, especially for the cookie one, it's important you make the apps absolutely identical in respect to session handling. While this is trivial with JWT (as there's barely any logic on the app's side), this may prove to be harder with cookies if the authentication logic comes from some one else's code (as in a framework).
I haven't asked about single sign-out, and at this point i'm afraid to ask :). But these are some guidelines:
If going the cookie route, be aware of cookie's domain. A cookie is normally valid for every request coming from the website domain (name.com), but you may have some of your apps under a subdomain (like, phpapp.name.com). In this case, be sure the cookie created from the given app is valid for the whole domain, and not just the subdomain. And make the apps available at subdomains / pages under the same domain. Cookies don't work cross-domain, and you have to deal with that, since cookie domain policy is enforced at browser level.
Launching three AJAX calls means triggering three login procedures. I suppose all of these would terminate, at some point in the future, and all of those would be storing / rewriting the cookie. If the apps understand the same cookie, it's mandatory you open the login process on just one of them. This would store the cookie, which would then be automatically picked app from, say, a page in the second app, giving you a seamless transition into a logged-state in the second app.
JWT would normally require some JS work, which you may like since the same script can easily be loaded in all of your apps. On the other side, you can be sure that different server libraries handling JWT would all work the same for you, thus ensuring compatibility.
Personally, i would look into JSON Web Tokens.
You can develop your own session provider which stores data in a separate place (for ex. in database or files). Then everything you need to do is write some code in every environment to handle your session information from that provider. Because you use only one source to store session information there will be no problem with synchronization between any of yours environment.
If you need then you can use a webservice for exchange session information between every environment and session provider. Every application can use security connection to get and set information about session from that session webservice.
I think you can do this!You can create provider which stores data into database. Then Write some cool code to manage your provider.You can also use webapp or sevice.Every service use security to get and put information.
I am new for single sign on. My system has three different instances with different applications 1.Openerp 2.Magneto 3.Php web site and in all applications my user and password is same. I am getting confused from where I should start.
can I use OAuth for this or which will be simplest way to achieve single sign on
I can also have LDAP is necessary.
Assuming you have a common database for all this, you can achieve this by writing few API's.
And use a kind of tokenization approach. That means when a user enters valid credentials, you create a token and store it in db for that user and return the same token as a response.
Use the same token to set it as browser session or cookie, and now across different application i.e 1.Openerp 2.Magneto 3.Php web site read the above cookie/session, if it is set, log them in.
You can create a global variable to read let's say a cookie or session variable. That could come in handy if you want to manually implement the single sign on. On the other hand you can use OpenID you should look into that it might be useful
Easiest way to use oauth to achieve single sign on after looking at your scenario.
Single sign-on (SSO) is a way to authenticate users on multiple related, but independent software systems. Once logged in, a user can switch from one system to the next without the need to login again. Conversely, single sign-off is a way to log out and terminate access to multiple software systems with a single sign-off action.
for more info about single sign on see this link
http://twiki.org/cgi-bin/view/Blog/BlogEntry201206x1
and for applying this mechanism on openerp see this link
http://acespritechblog.com/2012/09/29/how-openerp-works-as-sso/
you can also if you are technical guy have a look on this module
https://www.odoo.com/apps/6.0/smile_sso/
I am currently building a Flex 4 web app using PHP as my backend. I am using AMF to let the backend and flex application talk to each other.
How can I protect my AMF endpoint? Users can just decompile my flex application, find the URI to my endpoint and call methods. I need to ensure that all calls to the endpoint is done from within my application.
I would like to prevent somethig like this from happening: http://musicmachinery.com/2009/04/15/inside-the-precision-hack/
What are the best ways to achieve that?
Thanks :)
URLs aren't important. They're very easy to find out from any web application, and yet you still need it to have public access to them. There are a few things to do, first, if you're interested in the data security itself, you'll probably want to have your server running over https instead of http. If data security isn't crucial however (and it often isn't), you just need to have a quick and dirty authentication system.
I'm sure you can find many articles online or even frameworks made for authentication for php. In the past when I needed a very simple authentication, I would have my client send over a username and SHA1 password to an open authentication function on php, which would then create, store and return a session ID. That session ID would then be the first parameter of all the other php functions. Those functions would check the DB to see if the session ID is there or still valid (15 minute timestamp from the last time it was used) and if it is, go ahead with the function.
This is just a very simplistic way of doing things and will be good for a lot of small websites. If you need more security, send all of this over https to prevent sniffers to get the session id sent over the wire. After that, you're going into enterprise security which is probably overkill for what you want to do and will cost you an arm, a leg and your left testicle :P
I'm working in a website that is going to work like a landing point, providing a specialized service for many other websites. Users log-in to different sites and those sites have links to my website.
Now, I want to create my website using asp .net, and also I want to be able to use SSO (Single Sign-On) so the users doesn't have to authenticate again when they land on my site.
The problem is that most of the websites that are going to use the services of my site are in php, when users login on these sites, all the authentication process is handled and also a lot of data is fetched into the Session variable; what I want to do is to be able to capture all the data in the session variable coming from the php page, in my asp site.
I don't know if this is possible, maybe this can be done in another way
So far, the only thing I've been able to do in the asp is, ask for a parameter in the url and using that parameter query the database to get all the data that was already in the session in php.
So if any of you know a way to do this.
Thanks
My company does this extensively. Our app passes information from our software to other systems such as CRM's, appointment schedulers, data aggregators, etc. In cases where systems are radically different and access is not explicitly given, the best solution we've found is to use cURL and negotiate a data interchange via API. Setups with people of varying technical abilities can be challenging (we've actually provided code for several systems we wanted to communicate with) but in the end it's efficient and secure.
Unlike many UI guys, I'm a fan of OpenID for single login. However, that doesn't pass all the data you likely want to interchange between the sites.
You could either use a database as a session store point accessible by all pages. this makes it pretty easy to access session data by either php or asp.
I think this would be the mos performant way.
If you don'T want to give the other php sites any access to your databases you also could create a special page not for vewing in asp and tell the php sites to drop the session contents via curl there and in that sie then save the session stuff in your database.
It's not clear from your question whether you are hosting both ASP and PHP websites on one server or if your ASP site will be used with other third-party sites.
If you run and manage the ASP and PHP sites on one machine, then storing session information in the database will be the way to go and isn't too difficult. You'll need to make sure that the session data you store in the database can be read by both PHP and ASP--I'd pick something simple like JSON. A url parameter would be a bad way to get at this data, as it makes user information available to anyone who could guess a user id.
It's not so simple, however, if you want to provide SSO capabilities with third party sites. In this case, you'll have to implement an authentication API that the third party sites can call to log their user into your site when they initially authenticate the user on their own.
I'm implementing login and registration for multiple domains that talk to a single database - we'll call them i.domain-a.com and i.domain-b.com. Both these subdomains have A records in the DNS that point to a single server - thus making i.domain-a.com/hello.php and i.domain-b.com/hello.php run the same thing.
So, if I create a session on domain A, then I can go to domain B and retrieve the same session information. To implement completely separate login systems for both of them that utilise the same PHP functions I have written to handle registration, should I do something with session_name() based on $_SERVER['HTTP_HOST']? I'm not sure how similar my situation is to this guy, and hope this question isn't too similar.
To avoid problems with sessions you should use the session_name('myapplication') [ session_name({UNIQUE_APP_ID}) ].
The problem you are mentioning can occur in more simple situations where there is an administration panel and a sign-in form for the users of the web site.
If session_name is not used a signed-in user could have access to the admin. panel but this depends on the auth. scheme and mechanism you have implemented.
regards,
Sessions/cookies are domain-specific and don't rely on DNS settings. If you want both system's sessions to be separate while they live on separate domains you're already all set.
I believe session_name() would've actually been the best solution for that other guy's question, two separate sessions on the same domain.
No. The mechanism that stops different users getting the same session works on a per server basis, not a per hostname basis.