Solved

Header(location : and post vars

Posted on 2003-10-29
19
93,835 Views
Last Modified: 2011-08-18
I have a main page which at the moment has links to all of my sites.
I want to change this so it has a login box with a username and password.
I would like it so that when to user enters the details they are logged into the site
they signed upto.

I have been using the idea below below.

//check username and password in db
//this will give me the site they are registered to

header("Location: http://www.$site_registered_to");

problem is that this will not pass the username and password to the other site.

it works if i use this

header("Location: http://www.$site_registered_to?username=$username&password=$password");

But i need to post the vars, can this be done and any ideas on how?

Thanks
0
Comment
Question by:tsPHP
  • 6
  • 5
  • 4
  • +3
19 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9642566
unless you can change the post to get on the site registered side, i can only think of one way to do it in javascript. if you build a form with $site_registered_to for the action and hidden fields for the username and password, you can have an onload event in the body tag submit the form. i'm not sure it would work but it's worth a try i suppose

in the body tag:

<body onload="document.siteForm.submit()">


and for your form:

<form action="<? print $site_registered_to; ?>" name="siteForm" method="POST">
<input type="hidden" name="username" value="<? print $username; ?>">
<input type="hidden" name="password" value="<? print $password; ?>">
</form>
0
 

Author Comment

by:tsPHP
ID: 9642584
i understand your approach but i see this as a security issue if the varibles are placed as hidden fields.

0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642639
if you really want to hide the variables, cant you store them in a session? or do you have no control over the site_registered_to?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:tsPHP
ID: 9642704
I have control of the sites but htey are on different domains a nd different servers.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642745
heh good point, so you wouldn't think about encrypting the values over either get or post?
0
 

Author Comment

by:tsPHP
ID: 9642787
no i need to post the varibles as they are.

is there no way of setting the post in the headers like the location

a wild guess
header("Post: $username");

im going to quickly try this :)
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642835
http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

cheers,

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9643084
You could use CURL or raw sockets to send a POST request to the external site with the username and password.
Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
which triggers the external site to re-set the sessionID cookie.
0
 

Author Comment

by:tsPHP
ID: 9643149
ive heard about CURL what exactly is this and does it need installing
0
 

Author Comment

by:tsPHP
ID: 9643221
ive thought of another idea, if i use

header("Location: http://www.$site_registered_to?username=$username&password=$password");

is it possible to stop the url from changing when i do the location part.
This would stop the varibles being show??
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9644302
you could do that through javascript but its not particularly secure. did you try the script i posted?
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9645596
Or, you could store the information in sessions, then you use those session variables on the different server, i can give you a link to how this is done if you are interested because the way you sugested will not work.
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 9645727
Tainted God, I'm interested in your approach of using Sessions on a different server, Please tell us more.

Why do you need to post the variables? The post method is no more secure than GET, unless you are posting a lot of data, ( > ~200 Bytes/Chars AFAIK ).

What you could do(as I've suggested else where on EE), would be to

<?php

header("Location: http://www." . $site_registered_to . "?postvars" = serialize($_POST);

?>

Then on the other side, put something at the start of the script, to take the serialized array, and put it back into a normal array.

<?php

$_POST = unserialize($GET['postvars']);

?>

The advantage of this approach is that if you defined suitable encryption/decryption functions you could use them too.

like

<?php

header("Location http://www." . $site_registered_to ."?postvars=" . encrypt(serialize($_POST)));

?>

and

<?php

$_POST = unserialize(decrypt($_GET['postvars']));

?>

I forgot to mention it earlier on, but you may need to use urlencode in there too somewhere.
0
 
LVL 11

Accepted Solution

by:
shmert earned 45 total points
ID: 9647562
This is an example of my previous post.  You send the username & password via POST to the remote server, and intercept the set-cookie header that gets sent back, which sets the session ID.  Then, you do a redirect, passing the sessionID in the URL.  The username/password is never displayed in the user's browser location bar, only the session ID.  The remote site needs to know how to use the sessionID in the URL as the sessionID for the redirected browser.

<?php
$url = 'http://localhost/test/authorize.php';
$args = 'username=shmert&password=password';

$url = parse_url($url);
if (empty($url['port'])) $url['port'] = 80;
$socket = fsockopen($url['host'], $url['port'], $errno, $errstr)
        or print("error # $errno while opening socket: $errstr <br />\n");
fputs($socket, "POST " . $url['path'] . " HTTP/1.0\n");
fputs($socket, "Host: " . $url['host'] . "\n");
fputs($socket, "User-Agent: shmertmethod\n");
fputs($socket, "Content-Type: application/x-www-form-urlencoded\n");
fputs($socket, "Content-Length: " . strlen($args) . "\n");
fputs($socket, "\n");
fputs($socket, $args);
$out = '';
while (!feof($socket)) {
        $line = fgets($socket, 1024);
        if (preg_match('/^set-cookie:\s*PHPSESSID=([a-z0-9]+)/i', $line, $matches)) {
                $cookie = $matches[1];
                break;
        }
}
if (empty($cookie)) {
        echo "Login failed, or could not generate a cookie";
} else {
        header("Location: http://" . $url['host'] . "/?PHPSESSID=$cookie");
}
?>
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9654685
It appears shmert stole my post, that was exactly what i was talking about so you dont really need anything from me now.
0
 
LVL 11

Expert Comment

by:shmert
ID: 9658900
Actually, I "stole" my own post ;)

> You could use CURL or raw sockets to send a POST request to the external site with the username and password.
> Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
> which triggers the external site to re-set the sessionID cookie.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9658943
no you all stole my post from:

http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

:p

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9664802
Apologies, loz.  That code does look pretty similar...
0
 

Expert Comment

by:willembermon
ID: 13878206
I'm using the following method with success.
before a header() call do a post_to_session() and just after you load a page do a session_to_post()

<?
      function post_to_session() {

            session_start();

            foreach ($_POST as $key => $value) {
                  $x[$key] = $value;
            }

            $_SESSION['PrePOST'] = $x;

            session_register('PrePOST');
      }

      function session_to_post() {

            session_start();

            foreach ($_SESSION['PrePOST'] as $key => $value) {
                  $_POST[$key] = $value;
            }

            session_unregister('PrePOST');
      }
?>
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question