Solved

Header(location : and post vars

Posted on 2003-10-29
19
93,843 Views
Last Modified: 2011-08-18
I have a main page which at the moment has links to all of my sites.
I want to change this so it has a login box with a username and password.
I would like it so that when to user enters the details they are logged into the site
they signed upto.

I have been using the idea below below.

//check username and password in db
//this will give me the site they are registered to

header("Location: http://www.$site_registered_to");

problem is that this will not pass the username and password to the other site.

it works if i use this

header("Location: http://www.$site_registered_to?username=$username&password=$password");

But i need to post the vars, can this be done and any ideas on how?

Thanks
0
Comment
Question by:tsPHP
  • 6
  • 5
  • 4
  • +3
19 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9642566
unless you can change the post to get on the site registered side, i can only think of one way to do it in javascript. if you build a form with $site_registered_to for the action and hidden fields for the username and password, you can have an onload event in the body tag submit the form. i'm not sure it would work but it's worth a try i suppose

in the body tag:

<body onload="document.siteForm.submit()">


and for your form:

<form action="<? print $site_registered_to; ?>" name="siteForm" method="POST">
<input type="hidden" name="username" value="<? print $username; ?>">
<input type="hidden" name="password" value="<? print $password; ?>">
</form>
0
 

Author Comment

by:tsPHP
ID: 9642584
i understand your approach but i see this as a security issue if the varibles are placed as hidden fields.

0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642639
if you really want to hide the variables, cant you store them in a session? or do you have no control over the site_registered_to?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tsPHP
ID: 9642704
I have control of the sites but htey are on different domains a nd different servers.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642745
heh good point, so you wouldn't think about encrypting the values over either get or post?
0
 

Author Comment

by:tsPHP
ID: 9642787
no i need to post the varibles as they are.

is there no way of setting the post in the headers like the location

a wild guess
header("Post: $username");

im going to quickly try this :)
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9642835
http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

cheers,

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9643084
You could use CURL or raw sockets to send a POST request to the external site with the username and password.
Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
which triggers the external site to re-set the sessionID cookie.
0
 

Author Comment

by:tsPHP
ID: 9643149
ive heard about CURL what exactly is this and does it need installing
0
 

Author Comment

by:tsPHP
ID: 9643221
ive thought of another idea, if i use

header("Location: http://www.$site_registered_to?username=$username&password=$password");

is it possible to stop the url from changing when i do the location part.
This would stop the varibles being show??
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9644302
you could do that through javascript but its not particularly secure. did you try the script i posted?
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9645596
Or, you could store the information in sessions, then you use those session variables on the different server, i can give you a link to how this is done if you are interested because the way you sugested will not work.
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 9645727
Tainted God, I'm interested in your approach of using Sessions on a different server, Please tell us more.

Why do you need to post the variables? The post method is no more secure than GET, unless you are posting a lot of data, ( > ~200 Bytes/Chars AFAIK ).

What you could do(as I've suggested else where on EE), would be to

<?php

header("Location: http://www." . $site_registered_to . "?postvars" = serialize($_POST);

?>

Then on the other side, put something at the start of the script, to take the serialized array, and put it back into a normal array.

<?php

$_POST = unserialize($GET['postvars']);

?>

The advantage of this approach is that if you defined suitable encryption/decryption functions you could use them too.

like

<?php

header("Location http://www." . $site_registered_to ."?postvars=" . encrypt(serialize($_POST)));

?>

and

<?php

$_POST = unserialize(decrypt($_GET['postvars']));

?>

I forgot to mention it earlier on, but you may need to use urlencode in there too somewhere.
0
 
LVL 11

Accepted Solution

by:
shmert earned 45 total points
ID: 9647562
This is an example of my previous post.  You send the username & password via POST to the remote server, and intercept the set-cookie header that gets sent back, which sets the session ID.  Then, you do a redirect, passing the sessionID in the URL.  The username/password is never displayed in the user's browser location bar, only the session ID.  The remote site needs to know how to use the sessionID in the URL as the sessionID for the redirected browser.

<?php
$url = 'http://localhost/test/authorize.php';
$args = 'username=shmert&password=password';

$url = parse_url($url);
if (empty($url['port'])) $url['port'] = 80;
$socket = fsockopen($url['host'], $url['port'], $errno, $errstr)
        or print("error # $errno while opening socket: $errstr <br />\n");
fputs($socket, "POST " . $url['path'] . " HTTP/1.0\n");
fputs($socket, "Host: " . $url['host'] . "\n");
fputs($socket, "User-Agent: shmertmethod\n");
fputs($socket, "Content-Type: application/x-www-form-urlencoded\n");
fputs($socket, "Content-Length: " . strlen($args) . "\n");
fputs($socket, "\n");
fputs($socket, $args);
$out = '';
while (!feof($socket)) {
        $line = fgets($socket, 1024);
        if (preg_match('/^set-cookie:\s*PHPSESSID=([a-z0-9]+)/i', $line, $matches)) {
                $cookie = $matches[1];
                break;
        }
}
if (empty($cookie)) {
        echo "Login failed, or could not generate a cookie";
} else {
        header("Location: http://" . $url['host'] . "/?PHPSESSID=$cookie");
}
?>
0
 
LVL 2

Expert Comment

by:TaintedGod
ID: 9654685
It appears shmert stole my post, that was exactly what i was talking about so you dont really need anything from me now.
0
 
LVL 11

Expert Comment

by:shmert
ID: 9658900
Actually, I "stole" my own post ;)

> You could use CURL or raw sockets to send a POST request to the external site with the username and password.
> Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
> which triggers the external site to re-set the sessionID cookie.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9658943
no you all stole my post from:

http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

:p

loz
0
 
LVL 11

Expert Comment

by:shmert
ID: 9664802
Apologies, loz.  That code does look pretty similar...
0
 

Expert Comment

by:willembermon
ID: 13878206
I'm using the following method with success.
before a header() call do a post_to_session() and just after you load a page do a session_to_post()

<?
      function post_to_session() {

            session_start();

            foreach ($_POST as $key => $value) {
                  $x[$key] = $value;
            }

            $_SESSION['PrePOST'] = $x;

            session_register('PrePOST');
      }

      function session_to_post() {

            session_start();

            foreach ($_SESSION['PrePOST'] as $key => $value) {
                  $_POST[$key] = $value;
            }

            session_unregister('PrePOST');
      }
?>
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question