I have a client running an ASP.NET application. Inside of that, there's a self-contained PHP wiki. The problem is that the wiki won't use the .NET authentication, so requests directly to http://foobar/path/wiki/ will resolve without forcing a login.
My simple solution for this is to run the PHP application in an iFrame from an .aspx file that will force authentication, and then use PHP to detect if the page is loaded outside of a frame and redirect if so.
I know this can be done with JavaScript quite easily, but I would prefer to do this test server-side before the Wiki content loads. I need help figuring out a way that this can be done. Referrer comparison perhaps?
Any suggestions?
Thanks!
There is no way to tell on the server-side if a client's browser is loading a page within a frame, tab, or dedicated window.
What you can do is have your .NET application set a cookie after authenticating that the PHP application will read. If the cookie doesn't exist then do a redirect to the authentication page.
Even with JavaScript this is not secure. One could simply request the Wiki pages and ignore the JavaScript. For example, I could use WGET to pull down all your content without ever authenticating.
If security is important, I would highly recommend figuring out a way to make the PHP app aware of the authentication.
The simplest approach, if this is all on one server, would be to have the .NET application store some sort of token after authenticating, somewhere PHP can access it. Then set a cookie that the PHP wiki will receive and check that value is a valid session for each request.
Related
I am working on a PHP website which is using the php_svn module to retrieve data from our SVN repositories.
For this I have set internally a hardcoded user/pwd so I can connect (dirty way...)
Now I would like to connect using my current LDAP user. Means that once I try to connect to SVN, then PHP should be able to retrieve my current windows session (the client side that executes IE,etc..) and pass it to SVN so it will still recognise me without prompting user/pwd...
Not sure if this is possible but would be brilliant to achieve it :)
Has someone achieved something similar? In the php_svn site not much information is available for this specific point...
http://php.net/manual/en/book.svn.php
Thanks in advance!
It seems like you're trying to get a web request to be session based. Web requests are stateless (meaning each request starts over from a blank slate). If you want to maintain credentials between requests, you'll need to use some kind of session handler. PHP has a built in one. http://php.net/manual/en/book.session.php
You won't be able to directly access the 'windows session' however. The information has to make its way from the windows session, into the browser, which isn't really possible without some kind of browser plugin... the more realistic way to do this is: have the user log in to the website, submit their credentials, then store them in a PHP session, to be re-used by PHP on every subsequent page load.
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
I am taking over a community website that was built using Kentico (an ASP.NET-based CMS).
I have PHP/CodeIgniter code that could add interesting functionality to this Kentico website. For example, my PHP code allows for uploading and posting of user-generated material such as images, which the community can then comment on.
Since I'm unfamiliar with how Kentico works, I wonder if anyone knows if this functionality exists in it (as a module). If not, either this
would have to be coded in ASP.NET or
I could have a hybrid website using my PHP code, however authentication from the Kentico side would have to be passed the PHP side of the website.
Any suggestions on how to handle this situation?
You can store the authenticated session in the DB where both ASP and PHP have access
Look into the "User contributions module" - if you've got access to a new enough version of Kentico and the appropriate license then it will probably do exactly what you need it to.
Otherwise if you needed to do authentication from a seperate PHP app, I suppose you could write a simple web service in .Net and add it into the Kentico site. In the past I've used a .ashx generic handler to do this.
Maybe you could include a hidden iframe to the other site on each page and use postMessage in JavaScript to send a session ID between the sites.
I would probably try to keep everything all in one code base unless there was reason to break it out into a seperate module though - otherwise it just seems like a lot of extra work.
I'm not sure if this is even possible, but I figured this was a great place to ask the question.
I'm using http://simpletest.org/en/browser_documentation.html PHP WebBrowser to test a wordpress site. What I'm doing is setting the login credentials to access the wordpress backend. I run a couple of test, but my question is in certain situations I want to transfer the session that the "SimpleTest PHP Web Browser" has running to client's browser. Aka... my browser.
So in a since I"m transferring the session from the server side test browser to a normal client browser. This "client browser" is the same browser that is literally running the SimpleTest script to begin with.
I'm wondering if I can transfer the header & cookies associated with the "SimpleTest PHP Web Browser" to my browser. What I'm thinking is to pull the data out using the SimpleTest PHP Library and then set that information to the client browser using Javascript.
Is this even possible? I feel like I'm missing some basic understanding of server side session authentication which would make this impossible.
Any ideas? I'm really curious!
Did you look at the Authentication documentation for SimpleTest?
I'm using loadVars to load a PHP URL with lots of sensitive information required for the Flash application. Only problem is that URL can be accessed via a web browser which raises security issues if someone gets a hold of this URL. Is it possible to have the PHP page only accessible via my Flash application?
Appreciate the help!
Thanks
No, there is no way to limit a page to a specific app, browser or user agent, since all of those things can be mimicked. If you are passing around sensitive information then you need to do authentication and use encrypted data transfer (HTTPS).
Regardless of how you attempt to make it only accessible from your Flash application, a determined user will certainly be able to view the page also. It can be as simple as proxying the requests through an HTTP proxy like Charles, Firebug or Wireshark.
There are things that can be done to make it more difficult to figure out what the data is from viewing the page directly. For instance, you can encrypt the data or output it as binary. But since SWF is an open sourced format, users can use decompilers or just inspect the ABC (Actionscript Byte Code) to see what is really going on.
The short answer is NO, you cannot protect the information available to the client side (Flash) from being accessible from other clients.
As long as you have a page on HTTP, a determined user can always find a way around any user-agent restrictions imposed by you.
One way to protect the data (other than using HTTPS) is to encrypt it at the server, send it over HTTP and then decrypt it in Flash using as3Crypto or some other cryptography library.
Hope this helps,