I have a login form set up on my domain (eg: www.example.com/login).
When the user enters their login information, I need those details to be passed through a login form on an external website and the user directed to the application that they are logging into.
So to add the user steps to this:
1. User enters login information on www.example.com/login
2. User is directed to and has access to application on www.external.com/application without having to re-enter login details at www.external.com/login
The problem is, I'm not sure how to go about doing this. I found some references to cURL which from what I could gather is the best approach to take.
Any help with this would be appreciated .. I'm a PHP novice! Also ... the application on the external website is ASP.NET (I'm not sure if this has any factor on getting this to work).
Thanks for your help, Mark.
Depending on how your application works, what could work is have your login form on example.com/login point to external.com/application
so your form tag would look like this:
<form action="external.com/application" method="post">
Now your external.com/application will have to be setup to accept the data from the login form. When the form is submitted the browser should direct itself to external.com/application.
This is a possible approach :
On www.example.com/login, do a classic login form which is submitted on itself
On www.example.com/login, when a $_POST is detected :
check that the credentials are good
if yes, store within a table in you db server an hash dedicated to this user (by hashing his id/user/etc... whatever you wish)
redirect to www.external.com/login?hash=the_generated_hash
On www.example.com/verifyHash.php:
create a simple php file that take a hash in $_GET and echo "true" if this hash exists in your db
on www.external.com/login
check that a hash is passed in $_GET
if yes, do a simple $result = file_get_contents("www.example.com/verifyHash.php?hash=$_GET["hash"]");
if the result is true then you can assume that the user has valid credentials.
Of course, you can optimize this whole thing by passing a user id along your hash, by implementing some security when your asking remotly verifyHash, etc...
Related
I have two software. I want to create a link in the first one to call and fill a form in the second one.
The second one is written in PHP (with CakePHP) and can be accessed by authenticate users. I need to automatically log the users in and fill the form on click of the link.
I don't know how to do that?
I was thinking of this solution, but can you please tell me if you see a better one.
-The link will contain all information to login my user and all information to prefill the form
-The link will be dedicated to this action in my php application. It will automatically log my user in, put the form data in session and redirect to the form page.
-In the form page, if the session variable is not empty I will fill my form.
Please help me and tell me what do you think of this plan.
You can make a route that log you automatically just pass in args your login/pw encoded in md5 after you redirect to what you want.
I am not using the cake but maybe you need to adjust what I propose to fill your wish
You need to turn the GET parameters into POST, that's all and it's dead easy.
See https://en.wikipedia.org/wiki/Post/Redirect/Get
I have a question that is more conceptual at the moment than anything else.
Here's my situation
The school that I go to has a website for grade viewing which can be found at this link: https://grades.bsd405.org/Pinnacle/Gradebook/InternetViewer/Default.aspx
The login page presents a username and password box.
I plan on constructing a simple iPhone app that takes the resultant grades that are listed and display them in a UITableView.
However, how would I achieve getting the data from this website?
How do websites validate (authenticate) usernames and passwords and then pass on the relevant data?
Thanks for bearing through this tough question.
There are a lot of things going on in this website; i think we would need a little more info from you on your specific request. When you say Validate, do you mean validate as in check that usernames and passwords are formatted correctly or do you mean validate as in authenticate, i.e. send the resultant data to the X to determine that the username and password is correct.
Based on what I see I can partially answer your question, the asp site would send over SSL, the user name and password to the application, where I would assume the application then checks the username and password against a username and hash of the password (the hash being the calculated squish of the password which is stored as such for security and confidentiality).
In your case you wouldn't need to know any of that if you wanted to interface/integrate an app with this, you'd just need to format a request in your app and deliver it over an SSL connnection to the page. There's a caveat; and that being session stuff with ASP; its a bit more complex than just usernames and passwords.
The page generate a unique ID each time, passed as hidden field of the form. So i'm sorry but i think that you can't post nothing from the extern.
Yes, you certain can pass the hidden id.
What you need to do is follow the session stuff that ASP generates. We do this all the time with ASP sites that we 'scrape' for data with our primary application.
Your app will first need to call the site, collect the sessionid data, and return that in your form when you submit the form for authentication. After that depending on what is happening in the site, you may need to capture and send the resultant sessionid on each subsequent request.
Actually its a horrible thing when you see how much useless data is passed back and forth by ASP.
I'm trying to create a user login system where each user has a password, a username and a level (I.E Admin or Master). What i've done so far:
Created a mySQL database using PHP and created the relevant fields in the tables.
Made a simple Angular JS page.
I'm trying to link the database and page so I can check a user's input in the login inpuot field against all the data stored in the 'passwords' section of my mySQL table.
Any idea how I can achieve this? The most simplest, straight-forward answers please as I'm new to Angular (and mySQL!)
Thanks!
You should not do a login on an angular page since everything data related is handled by javascript which can easily be stopped, debugged and analyzed.
The better way would be:
Create a normal index.php which presents a login form to the user.
On submit check for validity with your database.
If user is valid start a session and header on to the actual angular app page.
The only way to check if this is a valid php session is in your REST calls via angular http service to your database related php scripts.
So every read/write access to your REST api should check, if this user is really allowed to do this db operation in the php script.
If the check fails, header back to the login page or some "Got you!" page.
This way the attackor may be able to see the js code of the angular app (if he gets somehow hold of the actual address) but it's completely useless to him, cause he can never see the actual data as long as he hadn't started a valid php session. And the data is what you want to protect, not the script of the app.
In a nutshell: Mix standard PHP validation AND Angular. Allow haxors to get to your page, but never, ever show them any of your underlying data. As soon as someone tries to mess with your data, kick him out.
This is nearly the same answer i gave here
Search for the marked keywords in both PHP and Angular sites to grasp the idea behind this.
I'm developing a website by Zend.
Some people create a html file imitate my login view. Action in form point to my controller to submit.
I don't other login outsite from my websites. So how can I prevent other domains submit form to my controller?
I tried to get request host name of "requester pages" to compare theirs domain with mine, then return error if user login from other sites.
Check the ZF manual for CSRF protection, which is the standard, built-in way to solve this problem.
you could check the refferer if it is in your domain (or empty)
add a hidden input field an generate a token on every display. if the token is wrong, don't continue and redirect them to your login page.
Be sure that every token can only used once, by one user (same session/ip) and only for e.g. 1 hour
EDIT: see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
there would be easiest way to prevent out side users to login into your site
user zend captcha to generate every time new code to login session
you can use below link as reference to use in login page
http://mnshankar.wordpress.com/2010/06/01/zend-form-element-captcha/
I am working with a partner site to embed a form onto my site where users can login to a portal. The portal developer has granted me access to a web-login service in order for me to pass variables from my site to his.
This is the information given How can I make this work in PHP, I have a form with a checkbox, and username and password but don't quite know how to make it pass variables I am not seeing any connection on my end. And I don't know how to set it up where they are redirected to a page on my site when the reset their password any ideas?
I have done this before using a WordPress login and adding it to my main site so I know most of the basics to make it work but what I have applied so far has not worked for me. I guess I need a little nudge in the right direction to get the brain working again.
Thanks in advance.
From the Developer
I am working on a web login service that you could use and have enough done that I can
send you the requirements.
Form Post URL: http://portal.blank.com/services/formlogin.cfm
Form variables:
portallogin - can be any value if present the following form variables are required:
errorurl - URL to be redirected to if an error occured. There will be an "error" url variable present with a human readable error string.
portalurl - (optional) URL to be redirected to if successfully logged in. if not present will be redirected to http://portal.blank.com
username - username of user
password - password of user
agreeterms - can be any value just needs to be present to authenticate
fogotpassword - can be any value if present will lookup password based on email address and password will be emailed
email - email address associated with user
returnurl - URL to be redirected to after running password lookup
An easy method would be to use Snoopy, a PHP class. A harder method (but no less effective) would be to use PHP's cURL functions to post your data to the form. This is assuming you're trying to keep your link to your partner's site hidden from your users.
Alternatively, you could just make a simple HTML form and set the form action to "http://portal.blank.com/services/formlogin.cfm" if you don't care that your users know you're authenticating them against some other site. I'd use https if available.