Firstly, please don't dismiss this question - I'm aware it's an ugly situation but hey, real life isn't pretty.
I'm developing an extra section to a web app that's written in asp.net, but in php - it's mostly done (the two parts don't really communicate with each other outside of a database - the integration is mostly just cosmetic.)
The only issue I have is detecting from the php part when the .net session has expired so that it logs the user out and redirects to the login page.
I believe the asp.net application is compiled, but either way I'm not allowed to alter it so I was thinking maybe the best thing to do would be to make a very small/simple aspx page that outputs true or false which I could call using curl from php (and passing the browser's cookies along.)
Would this even be possible? I'm not sure how session security works on asp.net eg whether one .net application can read another's session variables, but if it's anything like php then it'll be possible.
mypage.php --curl--> checksession.aspx --|
| |
<----------- true / false <---------------
So mypage issues a GET (with cookies from browser) to checksession using curl, checksession simply returns a true or false (or something like that) and mypage redirects to the site's login page if that's false.
The authentication for the php side is already sorted out and is separate to this issue.
So really, what I need to know is can I have just a simple .aspx file that does this check, and if so where would I go to to find out how to program such a simple page? If it's just a line or three, please could you let me know what those lines would be (I'm sorry I've never done any .net stuff..)
If this isn't possible, then if you don't mind, could you provide some alternative solutions? Thanks!
-- EDIT --
After spending most of the day with this problem, I'm now thinking that using php at all to get around this is a bad idea. There's actually two levels of authentication involved (one is normal HTTP request/response login type thing, then there's the .net session) - on top of that I totally missed the point that obviously these sessions are almost certainly going to be backed up by the IP of the users browser which I'd have to spoof or something coming from curl as that'll be running on the server.
So I think I'm going to use jQuery somewhere in the header of my page to check and redirect as required...somehow :/
-- EDIT 2 --
Ok, so the javascript way has suited my needs pretty well - obviously it's not a secure way of doing things, but fortunately in this case it's ok as this is just an app used on the intranet (and the shoddy way they authenticate users is terrible anyway.)
There are multiple ways here. First of all, the cookies alone won't do much, because the session can be expired in ASP.net even though the Cookie is still alive.
ASP.net supports multiple SessionStates, of which two are common:
In Process - here, the Web Server (Usually IIS) holds all Sessions in memory. If the IIS Service is restarted (Happens by default every 24 hours, not just when the system restarts!), All Sessions are wiped (that's why the cookie alone does not help). This scenario is default I believe and thus very common in single-server environments
SQL Server - here, the session data is stored in a SQL Server database. This isn't used that often though.
State Server. This seems really uncommon, so I'm omitting it.
Scenario 2 is your best bet, because you can just read the session id from the cookie and query the SQL Server database for the session info.
in Scenario 1, your approach is the correct one: You need help from the ASP.net Application, which can be a .aspx page. Make a request from PHP passing in the session cookie and check Session.SessionID and Session.IsNewSession to make sure the ID Matches and IsNewSession should be false - otherwise, ASP.net just recreated a new Session.
You may have to interact with the Session from the ASP.net page to activate it (Session["PingFromPHP"] = true) which may interfere with the ASP.net Application if your key (the name in the []-brackets) has the same name.
If the ASP.net Application is compiled, put the .aspx.cs file that serves as the code behind into a folder named App_Code, this should allow you to run it.
Hope that gets you started.
I don't know php but If both app are on same domain you should be able to read the ASP.Net session cookies and determine if it has expired or not., because cookies are bount to domain instead of web app using it and so browser will surely give the cookie with the request.
This maybe isn't the right answer to this question.. but I found a fairly easy (slightly ugly) fix which was a bit of luck really..
I created a page called checksession.aspx and asp.net (or the iis app) automatically redirected that page to the login page if the session had expired. Using this with curl I can now just check whether I get a 302 redirect and if so I know that the session has expired.
Woot :)
Related
I'm currently making two different, but pretty similar web-based applications. So I'm using PHP, and standard MySQL (MariaDB in my case because I use XAMPP but I guess two of them are similar to one another). FYAI, I'm building my apps on a local server which located just right in my PC.
So let's say my first project is Project1, and it is stored in localhost/project1. Meanwhile, the Project2 is in localhost/project2. Both of them have a login feature for different account/user.
So when they try to log in I do this. By the way, it's MVC.
class Auth extends Controller {
public function index()
{
// verification such as prevent raw attempt with no post data, etc.
// verify the username and password, header back if fail, blablabla, u know...
// and then the following is if succeeded
$_SESSION['login'] = true;
$_SESSION['id'] = // user id;
}
}
I used that similar system in both of my projects.
The Problem
So I was trying to figure out how session work, and I log myself into the localhost/project1. And then I open localhost/project2. Surprisingly for me, I didn't need to type in my username and password in localhost/project2. I logged in already. These things gave me some concern. So these are my questions:
Did that happened because I develop my site on a local server in my very own computer?
Don't you guys think that anybody can break in to my site just by creating some simple procedural php code in their server like this:
$_SESSION['login'] =true;
// and other sessions
and then just access that file, which make their session login value is
true, and other validation session index that i used, and then just
access my web site and logged in, like some man with big AK-47 in his
hand walks in right from the very front door of the white house with no
secret service notice and hold him down in custody?
Why is this really happening and how do you think I should fix it? I also have some timeout feature so I'm afraid any big changes would bother most of my construction but any suggestion is really welcome.
Sorry if my English is bad, or my php knowledge is pathetic. I'm new.
Sessions are normally driven by a cookie that contains your session ID. Since cookies are shared within the same domain by default, if you have two projects both located on the same host/domain (e.g. localhost), and both use sessions, then they will both share the same cookie and thus the same session data.
This means someone could NOT hack into your site by setting up a random session in their own site. Their session data would only be applicable to their own site.
On a side note, it's not usually a good idea to suggest analogies that involve storming the white house with a gun. Just a friendly piece of advice.
I run a website which can be reached through different domains: domainname.de, domainname.ch, domainname.at, domainname.es etc. ...
When my customer wants to pay we gets to a payment page which is of course https secured. Due to server limitations I am only allowed to have one SSL Certificate which I only put on one domain: domainname-secure.com.
Because I charge different prices I need to know which domain the user belongs to, so when redirecting to domainname-secure.com I save the domain (e.g. domainname.de) in the session variable $_SESSION['domain_default'] and pass the sessionID by adding session_id=[session_id] as a get parameter.
Then I check I take $_GET['session_id'] and run the follow command to have the session available on the domainname-secure.com:
session_id($_GET['session_id']);
session_start();
When I test it myself, it works perfectly fine but I make a log entry when somebody gets to domainname-secure.com and has not have set $_SESSION['domain_default'].
This occurs several times a day but I really have no clue why this does not work! I am testing it again and again from many different links but for me it works perfectly fine.
Can some of you imagine why it sometimes does not work?
Is it not "good" or insecure to pass the session ID to another domain and is it not always readable after redirecting?
I know it is hard for you to determain a mistake but I am searching for some know issues with session or maybe a tip how to do it in a better way?
Session are administered by PHP on a per domain basis meaning they don't mix domains intentionally.
If you would be using another session storage mechanism such as writing into the database or using memcached sessions you'd be able to overcome this limitation.
There are two approaches if you want to be able to access the session info when changing domains either:
Don't use PHP's $_SESSION, setup your own session management with memcached/redis/sql;
Or:
Use PHP's $_SESSION, but when transferring from one domain to another serialize the data in $_SESSION and put it somewhere accessible from both domains like sql;
I'm working on a project that keeps some user information (non-sensitive) in a php session. As it is my first time working with sessions, I never bothered to pass any Session ID, but it still works - is that right ? I couldn't find any information about that.
I'm using some parts of the information in the $_SESSION variable to navigate and influence some of the sites' behaviour, and it sometimes is crucial for the page to interact with the user. Meaning without the correct informatin of the current session the navigation will be broken.
So, can I rely on the existence of Sessions ?
And can I rely on the server to automatically pick the right session without passing the SID ?
I'm working only on one server and I don't need the session to be restorable (meaning that when a user leaves the application the session can be destroyed).
If you couldn't find information about that, you probably skipped the most obvious reference: the official PHP manual. It's right there in the Introduction of the Sessions chapter:
Session support in PHP consists of a way to preserve certain data
across subsequent accesses. This enables you to build more customized
applications and increase the appeal of your web site.
A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL.
If your question is whether cookies are reliable for this purpose, in fact it's the de-facto standard nowadays. You'll hardly find PHP-powered sites that still transmit the session ID in the URL. The reason is that it's a problematic technique: it's too easy to give away your session ID. If you copy the URL and send a link to a friend or post it in a forum it's very easy that any stranger is able to access your private data, even inadvertently (you don't need a malicious guy here) if they visit the site before the session has expired and the site does not implement further verifications (which is the usual situation).
Yes you can rely to having the server to pick the correct sessions for you. I have in my 10 years of php coding not experienced a faulty session yet.
However, if you choose to pass the sessionid to the next page, be ware of the risks. Session hijacking is a very serious business if you have any sort of private data.
So I have 2 domains: http://domain1.com and http://domain2.com
domain1.com has a bunch of cookies for the user stored on it.
I want to access all of those cookies but from domain2.com (to keep them synchronized).
Is this possible in JQuery? I was thinking of making a Cookie php file and somehow connect to that file from domain2.php to pull all of the data in.
Thanks for any help
NOTE: These are NOT sub-domains but 2 completely different domains I Control
In a strict sense? No. It isn't. In a more loose sense, yes it is.
If you're storing all of your data in cookies, you're actually storing the data in the browser, which means that jQuery, Prototype, Mootools... can't help you because of browser security (unless you can turn their browser into a server (might work with a Firefox extension (I swear, FF could be an OS if needs be...), but that would be gratuitous)).
I said that in a loose sense it is possible because PHP lets you do two very important things. First, it lets you store your session in a database, and second it lets you assign the session ID directly. It is possible, then, to have two servers point to the same DB and then share SESSION data by switching the user's session ID.
no. this would violate the security model on which browser cookies operate.
to work around this you can implement an iframe (perhaps invisible to the user) on domain1.com which is served from domain2.com and pass data between the two sites with JS.
I would look at a server-side solution, creating a common database that all sites can access. When the user logs in, generate a time-sensitive, IP-keyed token that can be passed from site to site either in GET or POST. Then, validate each request on token, IP, and time. The combination of the three will resolve most security concerns.
or you can look at this SO question for ideas its in .Net though Store cookie for other site
The problem is that I have a PHP script (A) that does signup, authorize Twitter, then the twitter calls back to a return PHP script (B).
In script (A), I set some $_SESSION variables, and in script (B) I will get it. Very straight foward.
I have tested it on my computersss, and it all works. I can see the session variables in script (B) set by script(A). so as my friends.
However, the most important thing is, my boss' computer cannot see it! that's the worst. he also tried on his computersss, still didn't work at his end.
I even reboot and restart the server, but still, situation remains the same.
So, my question is, is there any kind of restriction that the server cannot set the session on a computer? or,.. in which situation, the server will fail to set the session?
Server: Apache 2.2.3. Using Plesk
PHP: 5.2.5
Maybe a stupid question, but anyway... does your boss block cookies on his computer?
If that were the case and for some reason PHP was set up to not 'fall back' to passing the session ID via the query string (or the redirect stripped it somehow), that may be a problem.
The session id is different on different computers because that's the idea behind sessions. You assign a number to each visitor (the session id) and by that number you can identify users and store information in each users $_SESSION array. This array is available only to that single session/user.
If you want something to store data for all visitors of your site, you might want to use a database or a serverside cache.
Since it’s the session that fails, check that the client uses the same session on every request and not a new one. Check if the session ID is carried along properly. If you’re using a session cookie, check its validity settings and see if the session cookie is accepted by the client. See PHP Session/Cookie problems with Windows XP, Vista, IE and certain users.