Header(location : and post vars

I have a main page which at the moment has links to all of my sites.
I want to change this so it has a login box with a username and password.
I would like it so that when to user enters the details they are logged into the site
they signed upto.

I have been using the idea below below.

//check username and password in db
//this will give me the site they are registered to

header("Location: http://www.$site_registered_to");

problem is that this will not pass the username and password to the other site.

it works if i use this

header("Location: http://www.$site_registered_to?username=$username&password=$password");

But i need to post the vars, can this be done and any ideas on how?

Thanks
tsPHPAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lozlozCommented:
unless you can change the post to get on the site registered side, i can only think of one way to do it in javascript. if you build a form with $site_registered_to for the action and hidden fields for the username and password, you can have an onload event in the body tag submit the form. i'm not sure it would work but it's worth a try i suppose

in the body tag:

<body onload="document.siteForm.submit()">


and for your form:

<form action="<? print $site_registered_to; ?>" name="siteForm" method="POST">
<input type="hidden" name="username" value="<? print $username; ?>">
<input type="hidden" name="password" value="<? print $password; ?>">
</form>
tsPHPAuthor Commented:
i understand your approach but i see this as a security issue if the varibles are placed as hidden fields.

lozlozCommented:
if you really want to hide the variables, cant you store them in a session? or do you have no control over the site_registered_to?
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

tsPHPAuthor Commented:
I have control of the sites but htey are on different domains a nd different servers.
lozlozCommented:
heh good point, so you wouldn't think about encrypting the values over either get or post?
tsPHPAuthor Commented:
no i need to post the varibles as they are.

is there no way of setting the post in the headers like the location

a wild guess
header("Post: $username");

im going to quickly try this :)
lozlozCommented:
http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

cheers,

loz
shmertCommented:
You could use CURL or raw sockets to send a POST request to the external site with the username and password.
Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
which triggers the external site to re-set the sessionID cookie.
tsPHPAuthor Commented:
ive heard about CURL what exactly is this and does it need installing
tsPHPAuthor Commented:
ive thought of another idea, if i use

header("Location: http://www.$site_registered_to?username=$username&password=$password");

is it possible to stop the url from changing when i do the location part.
This would stop the varibles being show??
lozlozCommented:
you could do that through javascript but its not particularly secure. did you try the script i posted?
TaintedGodCommented:
Or, you could store the information in sessions, then you use those session variables on the different server, i can give you a link to how this is done if you are interested because the way you sugested will not work.
aolXFTCommented:
Tainted God, I'm interested in your approach of using Sessions on a different server, Please tell us more.

Why do you need to post the variables? The post method is no more secure than GET, unless you are posting a lot of data, ( > ~200 Bytes/Chars AFAIK ).

What you could do(as I've suggested else where on EE), would be to

<?php

header("Location: http://www." . $site_registered_to . "?postvars" = serialize($_POST);

?>

Then on the other side, put something at the start of the script, to take the serialized array, and put it back into a normal array.

<?php

$_POST = unserialize($GET['postvars']);

?>

The advantage of this approach is that if you defined suitable encryption/decryption functions you could use them too.

like

<?php

header("Location http://www." . $site_registered_to ."?postvars=" . encrypt(serialize($_POST)));

?>

and

<?php

$_POST = unserialize(decrypt($_GET['postvars']));

?>

I forgot to mention it earlier on, but you may need to use urlencode in there too somewhere.
shmertCommented:
This is an example of my previous post.  You send the username & password via POST to the remote server, and intercept the set-cookie header that gets sent back, which sets the session ID.  Then, you do a redirect, passing the sessionID in the URL.  The username/password is never displayed in the user's browser location bar, only the session ID.  The remote site needs to know how to use the sessionID in the URL as the sessionID for the redirected browser.

<?php
$url = 'http://localhost/test/authorize.php';
$args = 'username=shmert&password=password';

$url = parse_url($url);
if (empty($url['port'])) $url['port'] = 80;
$socket = fsockopen($url['host'], $url['port'], $errno, $errstr)
        or print("error # $errno while opening socket: $errstr <br />\n");
fputs($socket, "POST " . $url['path'] . " HTTP/1.0\n");
fputs($socket, "Host: " . $url['host'] . "\n");
fputs($socket, "User-Agent: shmertmethod\n");
fputs($socket, "Content-Type: application/x-www-form-urlencoded\n");
fputs($socket, "Content-Length: " . strlen($args) . "\n");
fputs($socket, "\n");
fputs($socket, $args);
$out = '';
while (!feof($socket)) {
        $line = fgets($socket, 1024);
        if (preg_match('/^set-cookie:\s*PHPSESSID=([a-z0-9]+)/i', $line, $matches)) {
                $cookie = $matches[1];
                break;
        }
}
if (empty($cookie)) {
        echo "Login failed, or could not generate a cookie";
} else {
        header("Location: http://" . $url['host'] . "/?PHPSESSID=$cookie");
}
?>

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TaintedGodCommented:
It appears shmert stole my post, that was exactly what i was talking about so you dont really need anything from me now.
shmertCommented:
Actually, I "stole" my own post ;)

> You could use CURL or raw sockets to send a POST request to the external site with the username and password.
> Then get the cookie which sets the sessionID, and then do a redirect to the other site and pass the sessionID in the URL,
> which triggers the external site to re-set the sessionID cookie.
lozlozCommented:
no you all stole my post from:

http://www.faqts.com/knowledge_base/view.phtml/aid/12039/fid/51

try the above script, i think it might work

:p

loz
shmertCommented:
Apologies, loz.  That code does look pretty similar...
willembermonCommented:
I'm using the following method with success.
before a header() call do a post_to_session() and just after you load a page do a session_to_post()

<?
      function post_to_session() {

            session_start();

            foreach ($_POST as $key => $value) {
                  $x[$key] = $value;
            }

            $_SESSION['PrePOST'] = $x;

            session_register('PrePOST');
      }

      function session_to_post() {

            session_start();

            foreach ($_SESSION['PrePOST'] as $key => $value) {
                  $_POST[$key] = $value;
            }

            session_unregister('PrePOST');
      }
?>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.