I have very specific problem.
I have web based application which set cookie after login. The same login details are used in desktop application which is connected to the web interface.
My idea was is it possible that when the user logins first in web app and it set cookie for him, then he downloads the application, install it on his PC and start it for first time somehow to get the user and password and auto fill the login fields in desktop application, so it won't be necessary to write them second time.
One of the ways is to save the login and password in a plaintext in cookie, which is very risky and then the desktop app gets this cookie from the browser (the app is written in c++).
I really don't have any clear idea at the moment how this could be done, but if there is a way I will be happy to red any of your suggestions.
The main issue I see is actually getting to the cookie. I can't see how you'd do that reliably with all the OSes / OS versions, browsers / browser versions out there. You could maybe include an encrypted resource file in the download containing the credentials. You can put that into the downloaded archive on the server side.
Is downloading without a login really not an option?
Edit: including a one-use token in the download, using which the client can fetch the username and password (via SSL, encrypted, somehow safe) looks like a good bet.
Related
I use wamp to develop on a windows 7 machine. For this app I have an admin area which tracks the admin username and encrypted password with $_SESSION and a cookie which keeps track of the randomly generated encryption key for the password.
I set the cookie like:
setcookie('key', $key, time()+7200, 'admin/');
The admin user verification is run on every admin page after the admin user has entered username and password details to login.
The directory structure of the site and the admin is:
localhost/mysite/
locahost/mysite/admin/
A session runs in the admin section, and a session also runs in the user interface of the front-end to keep track of chosen criteria for searches.
When I run long database queries in the admin area ie. multiple updates and inserts where each iteration requires a connection to an external API, I am unable to load the front-end user interface in the same browser ie. firefox until after the admin operation has completed. If I use a different browser ie. chrome , I am able to load the front-end of the site while running admin mysql functions with no problems.
I'd like to view the site while these operations are running, and use the same browser. It's a small problem, but I'd like to know how to get around it because I want to learn. I mean I could just tell myself that it doesn't matter because the site works fine when I open another browser, and the final user isn't going to be running admin operations while viewing the site anyway, so from that perspective it doesn't matter, but I am curious.
What is going on with the sessions and cookies that stops me from viewing the site whilst the admin operations are running? Is my question even a good one? Part of me thinks that it's a silly question because ultimately the site works perfectly well in a separate browser. Anyway, thank you for looking!
I think your session is being locked. On the page that takes a long time to run add this at the top: session_write_close(); that should fix it.
I have developed a website in php-zend with SQL server 2008r2 in which we can create requests. I am building an add-in for Outlook in asp.net with C# to create a request directly from email also.
But at the time of request creation from Outlook, I want to know whether that person is already logged into the website or not. If not then he needs to log into the website first, then only he can create a request from Outlook.
So basically I want to synchronize my website and the Outlook add-in application. I searched for active directory also, but could not get any idea how to achieve that.
Can anyone help me?
Thanks a lot in advance,
Mausami
It's not really designed to do this. You would need to look up the phpsessid value in the cookie set for your website on the local computer.
That's basically impossible because,
Every browser and OS store cookies differently, checking all the major browser cookie stores would be cumbersome and slow
If the browser is open when you're add in runs, the cookies will probably have an exclusive lock on them
Private browsing does not save cookie values to disk
Use authentication within you're plugin instead.
I started to develop a web application as a major project for my degree. Purpose of app is not important. My problem is handling the login. I have no problem with setting up login with jQuery mobile, that is actualy working pretty well. Problem is I'm handling login with php script through ajax and creating session in that process. So for checking if user is logged in or not I'd normaly use a php script, but in this case I can't. I need to keep using only client side for authentication. What would be the solution for this? Can I handle authentication with some native jQuery functions or do I need to write some JS scripts? If anyone have any solution please I don't need actual code, just best solution. Thank you
You can achieve this as long as login authentication is restricted to the device. What I mean is that user-id / password combination can be stored locally on the device. You may choose local file system storage for this. Here are the steps:
1) Make user register with uid/password
2) Check uid is existing in your local storage. If not register by writing it to local storage.
3) Later when user returns, validate login credentials against the local store.
I assume you're developing a native app with a mobile web framework. In this case you have two choices:
POST the login details out to a server somewhere, authenticate and return the session, allowing the user access. This will obviously require internet access, but will be more secure.
Store the credentials in local storage using JavaScript when the user signs up. Encrypt this value and compare against it when the user logs in.
I'm writing a JQM web app with a PHP web service. Users will be able to sign-in and register that they've made a purchase of, for instance, a soda from the club. This info will be stored in a database and eventually billed.
To illustrate what I want to do: I have already implemented this as an Android app. My "session handling" in the Android app consists of simply storing the user's credentials in Android's savedPeferences (persistent local storage) upon succesful authentication with the server. These credentials are then resent with every subsequent server request so that users only ever have to sign-in once - upon running the app for the first time.
I want to mimic this behavior in my JQM app as closely as possible. Ideally, the user should only ever have to sign in once unless they choose log out.
I'm a bit rusty when it comes to website programming, so what would be the best approach? Non-expiring cookings? Do I use a PHP session or handle everything in javascript?
This is for a hobby project; I prefer a simple solution over something overly secure and complex. Thanks!
Edit: After reading Mike's answer I stumbled across this plugin: https://github.com/carhartl/jquery-cookie
Perhaps this is the easiest way to keep users logged in..?
PHP sessions are going to be invalidated after a set amount of time (depending on your php.ini settings or any runtime modificatoins to the settings).
You can use long-time expiring cookies to persist a login (typically user is given checkbox at login to allow their login credential to be stored).
Since you are developing for a mobile device, you do also have the alternative of using HTML5 local storage since most every Android browser out there supports it. See more info at the link below.
HTML5 Local storage info
I prefer this as the login hash could be persisted even if the user clears their browser cookies and it can be handled strictly within Javascript.
I am currently working on 2 web servers, One Coldfusion and the other PHP.
Right now, the Coldfusion server is my main server where users log in to access restricted data.
However, I have also begun using a PHP server and want to make it transparent for users to access a specific page on that server - that server requires log in information as well.
I do not want the users to log in twice.
Is there a way to accomplish this ?
Thx
UPDATE: Working in an Intranet environment, so I can't use any public solution.
UPDATE: Reason I am asking for this is because we are moving from a MSQL / Coldfusion environment (Initial server) to a PHP / ORACLE (new server). So I have 2 user tables as well (although they contain mostly the same information).
I am trying to faze out the use of our initial server in favor of our new server transparently to the user and thus I have to work in parallel for the time being.
Most single-sign-on solutions work a bit like this...
Main system authenticates use
User opts initiates a need to move to system 2
Main system authenticates the user with system 2 in the background
System 2 supplies a random, long and disposable token to Main system
Main system redirects the user, with the token, to system 2
System 2 checks the token (and other factors such as IP address) to validate the session
System 2 disposes of the token to ensure it can't be replayed
You would want to ensure that the transmission channels had some security on, especially where Main system and system 2 are talking to each other. You would want that to be a secure transport.
Store sessions in a database, and share them between the two apps.
You could use xml-rpc to get user data and log the user into the other site when they have a login cookie for the first one and vice versa.
Php manual page for XML-rpc
Here is what I have done, in running my own game server, had users on sql server, and on mysql, and wanted to integrate them both.
I made sure that if a user was created on 1 system, was also created on the other.
So you can modify code in both applications, to automatically create a user in other system if it is created on here.
Depending if both servers share a domain, can you do cross-domain sessions or cookies...But my best guess is to store and retreive data...
Or..
as a person logins/registers record their current ip address, on both servers, then check if this person was on the other server within 2-5 minutes, if so, use the ip address to identify them....
This system is tricky because timing is important, so your not leaving a huge hole in your security....But for short term, going between servers, this is simplest solution, in my own opinion.
Good Luck.
If you are on an intranet, you can actually sniff out the network username of the user from the PC they are logged into the network on using PHP. This assumes that:
You are using IIS to host your PHP application.
Your users are using Windows.
Check the section "2.2 Enabling Support for Detecting Usernames" here.
After that, all you need to do is investigate if the same is possible from Coldfusion, and you have the basis of an SSO solution based on the network usernames.
How about implementing an OpenID solution, much like the one apparent on StackOverflow?
You may benefit from dropping a shared object on the client machine via Flash or Flex. This object could then be read from ColdFusion/PHP/Python on servers that otherwise had no connection to each other or access to a common database.
Here is a simple example from the Adobe Docs
Maintain local persistence. This is
the simplest way to use a shared
object, and does not require Flash
Media Server. For example, you can
call SharedObject.getLocal() to create
a shared object in an application,
such as a calculator with memory. When
the user closes the calculator, Flash
Player saves the last value in a
shared object on the user's computer.
The next time the calculator is run,
it contains the values it had
previously. Alternatively, if you set
the shared object's properties to null
before the calculator application is
closed, the next time the application
runs, it opens without any values.
Another example of maintaining local
persistence is tracking user
preferences or other data for a
complex website, such as a record of
which articles a user read on a news
site. Tracking this information allows
you to display articles that have
already been read differently from
new, unread articles. Storing this
information on the user's computer
reduces server load.
Full Information: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html