Solved

Header(location : and post vars

Posted on 2003-10-29
19
93,824 Views
Last Modified: 2011-08-18
I have a main page which at the moment has links to all of my sites.
I want to change this so it has a login box with a username and password.
I would like it so that when to user enters the details they are logged into the site
they signed upto.

I have been using the idea below below.

//check username and password in db
//this will give me the site they are registered to

header("Location: http://www.$site_registered_to");

problem is that this will not pass the username and password to the other site.

it works if i use this

header("Location: http://www.$site_registered_to?username=$username&password=$password");

But i need to post the vars, can this be done and any ideas on how?

Thanks
0
Comment
Question by:tsPHP
  • 6
  • 5
  • 4
  • +3
19 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9642566
unless you can change the post to get on the site registered side, i can only think of one way to do it in javascript. if you build a form with $site_registered_to for the action and hidden fields for the username and password, you can have an onload event in the body tag submit the form. i'm not sure it would work but it's worth a try i suppose

in the body tag:

<body onload="document.siteForm.submit()">


and for your form:

<form action="<? print $site_registered_to; ?>" name="siteForm" method="POST">
<input type="hidden" name="username" value="<? print $username; ?>">
<input type="hidden" name="password" value="<? print $password; ?>">
</form>
0
 

Author Comment

by:tsPHP
ID: 9642584
i understand your approach but i see this as a security issue if the varibles are placed as hidden fields.

0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642639
if you really want to hide the variables, cant you store them in a session? or do you have no control over the site_registered_to?
0
 

Author Comment

by:tsPHP
ID: 9642704
I have control of the sites but htey are on different domains a nd different servers.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642745
heh good point, so you wouldn't think about encrypting the values over either get or post?
0
 

Author Comment

by:tsPHP
ID: 9642787
no i need to post the varibles as they are.

is there no way of setting the post in the headers like the location

a wild guess
header("Post: $username");

im going to quickly try this :)
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642835
http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

cheers,

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9643084
You could use CURL or raw sockets to send a POST request to the external site with the username and password.
Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
which triggers the external site to re-set the sessionID cookie.
0
 

Author Comment

by:tsPHP
ID: 9643149
ive heard about CURL what exactly is this and does it need installing
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:tsPHP
ID: 9643221
ive thought of another idea, if i use

header("Location: http://www.$site_registered_to?username=$username&password=$password");

is it possible to stop the url from changing when i do the location part.
This would stop the varibles being show??
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9644302
you could do that through javascript but its not particularly secure. did you try the script i posted?
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9645596
Or, you could store the information in sessions, then you use those session variables on the different server, i can give you a link to how this is done if you are interested because the way you sugested will not work.
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 9645727
Tainted God, I'm interested in your approach of using Sessions on a different server, Please tell us more.

Why do you need to post the variables? The post method is no more secure than GET, unless you are posting a lot of data, ( > ~200 Bytes/Chars AFAIK ).

What you could do(as I've suggested else where on EE), would be to

<?php

header("Location: http://www." . $site_registered_to . "?postvars" = serialize($_POST);

?>

Then on the other side, put something at the start of the script, to take the serialized array, and put it back into a normal array.

<?php

$_POST = unserialize($GET['postvars']);

?>

The advantage of this approach is that if you defined suitable encryption/decryption functions you could use them too.

like

<?php

header("Location http://www." . $site_registered_to ."?postvars=" . encrypt(serialize($_POST)));

?>

and

<?php

$_POST = unserialize(decrypt($_GET['postvars']));

?>

I forgot to mention it earlier on, but you may need to use urlencode in there too somewhere.
0
 
LVL 11

Accepted Solution

by:
shmert earned 45 total points
ID: 9647562
This is an example of my previous post.  You send the username & password via POST to the remote server, and intercept the set-cookie header that gets sent back, which sets the session ID.  Then, you do a redirect, passing the sessionID in the URL.  The username/password is never displayed in the user's browser location bar, only the session ID.  The remote site needs to know how to use the sessionID in the URL as the sessionID for the redirected browser.

<?php
$url = 'http://localhost/test/authorize.php';
$args = 'username=shmert&password=password';

$url = parse_url($url);
if (empty($url['port'])) $url['port'] = 80;
$socket = fsockopen($url['host'], $url['port'], $errno, $errstr)
        or print("error # $errno while opening socket: $errstr <br />\n");
fputs($socket, "POST " . $url['path'] . " HTTP/1.0\n");
fputs($socket, "Host: " . $url['host'] . "\n");
fputs($socket, "User-Agent: shmertmethod\n");
fputs($socket, "Content-Type: application/x-www-form-urlencoded\n");
fputs($socket, "Content-Length: " . strlen($args) . "\n");
fputs($socket, "\n");
fputs($socket, $args);
$out = '';
while (!feof($socket)) {
        $line = fgets($socket, 1024);
        if (preg_match('/^set-cookie:\s*PHPSESSID=([a-z0-9]+)/i', $line, $matches)) {
                $cookie = $matches[1];
                break;
        }
}
if (empty($cookie)) {
        echo "Login failed, or could not generate a cookie";
} else {
        header("Location: http://" . $url['host'] . "/?PHPSESSID=$cookie");
}
?>
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9654685
It appears shmert stole my post, that was exactly what i was talking about so you dont really need anything from me now.
0
 
LVL 11

Expert Comment

by:shmert
ID: 9658900
Actually, I "stole" my own post ;)

> You could use CURL or raw sockets to send a POST request to the external site with the username and password.
> Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
> which triggers the external site to re-set the sessionID cookie.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9658943
no you all stole my post from:

http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

:p

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9664802
Apologies, loz.  That code does look pretty similar...
0
 

Expert Comment

by:willembermon
ID: 13878206
I'm using the following method with success.
before a header() call do a post_to_session() and just after you load a page do a session_to_post()

<?
      function post_to_session() {

            session_start();

            foreach ($_POST as $key => $value) {
                  $x[$key] = $value;
            }

            $_SESSION['PrePOST'] = $x;

            session_register('PrePOST');
      }

      function session_to_post() {

            session_start();

            foreach ($_SESSION['PrePOST'] as $key => $value) {
                  $_POST[$key] = $value;
            }

            session_unregister('PrePOST');
      }
?>
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now