Solved

Sending Password

Posted on 2004-09-05
18
208 Views
Last Modified: 2010-07-27
Dear Experts,

Is it possible for PHP to securely send the current user's user name and password to another web site?    If so,  how is this done?

Thanks,


Lee.
0
Comment
Question by:lnwright
  • 6
  • 4
  • 4
  • +1
18 Comments
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 100 total points
ID: 11986510
Are you using a standard login? and is the server you're connecting to capable of SSL?

If it's normal authentication, you can redirect them using https://username:password@somedomain.com or by using https://somedmoain.com/somescript?un=username&pw=password

because the connection is secure BEFORE the GET data is sent, it should be sent in an encrypted form. I've never tried this before, so I'll await other experts opinions before guaranteeing anything
0
 
LVL 1

Assisted Solution

by:f0rdmstang
f0rdmstang earned 100 total points
ID: 11986531
What  try of function are you using this for ?  

If your using some type of database such as MySQL you can have your script connect to the remote computers by using it's domain name or IP address considering the right permissions are granted.
0
 

Author Comment

by:lnwright
ID: 11986662
Thanks basiclife & f0rdmstang,

At this stage it looks like both sites will be https.    It is not a database just PHP.

Lee.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986741
I know in the past I've called or redirected someto to https sites and also passed things such as Credit Card info.  Make you script and include your info in a url.


base url :  https://www.yourdomain.com/scripts-dir/myscript.php
info to pass
user:   myuser
pass:   MyPassword123

final url = ?

https://www.yourdomain.com/scripts-dir/myscript.php?username=myuser&pass=MyPassword123

Then in the myscript.php reference the user or pass as $HTTP_GET_VARS['username'] or $HTTP_GET_VARS['pass'].  One thing you could always do it encrypt the password with md5 and only pass that password to the https url

Hope that helps
0
 

Author Comment

by:lnwright
ID: 11986863
I am just wondering with passing the username and password through a URL,  if the browser will remember it in it's history and therefore possibly reveal it to other users
0
 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986896
Your browser shouldn't remember https urls if I remember correctly.  You could also call a url from your Script rather than from the url the user sees.  This code is not verified so i don't know if it woks but I know I use to the the equivelent in Perl

include('http://www.google.com');
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 100 total points
ID: 11988296
Use file_get_contents or CURL to query the other server, not include. Include will not fail gracefully if the connection cannot be made.

The browser will never see the remote URL (it passes server-server, not server-client-server like a redirect), so it will never be stored in the browser history.
0
 

Author Comment

by:lnwright
ID: 11988314
Thanks Squinky,

I am a newbie to PHP so can you give a little more detail?

Regards,


Lee.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11988424
Build the URL something like f0rdmustang suggests, then retrieve the contents of the page by saying:

$page = file_get_contents($url);

$page now contains whatever the URL returned to you. You can send this back to the original user by just saying:

header('Content-type: text/html');
echo($page);

Or alternatively, just pass the results straight from the server to the client by using:

readfile($url);

The upshot of this is that the client will see the pages from the remote server, but at the URL of your server.

Incidentally, normal syntax for a URL containing id and password handled by HTTP is:

https://user:password@www.example.com/index.php
0
 

Author Comment

by:lnwright
ID: 11988526
Thanks again Squinky,

Can I trouble you for a simple php code example.   I have set up a protected directory here:

https://aus.unlimited-space.com/~onlineac/test/

the username is "experts" and the pass is "exchange"

Thanks.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11990748
<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

Alternatively if you just want to pass the page through untouched:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

Note that while you've retrieved this page over SSL, the link back to the client may not be secure.
0
 

Author Comment

by:lnwright
ID: 11992179
Thanks Squinky,

With the first one I get this error:

Warning: file_get_contents(https://experts:exchangeaus.unlimited-space.com/~onlineac/test/): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\wwwroot\reports\PassUserAndPassword.php:1) in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 7

I tried adding @ after the pass but still error

For the second I get this:

Warning: readfile(https://...@aus.unlimited-space.com/~onlineac/test/index.htm): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Can you please advise.

0
 
LVL 5

Expert Comment

by:basiclife
ID: 11993251
As far as I can tell. everyone agrees with me. Post additional comments if you have any problems
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11995020
It is just missing the @ - I don't know why putting it in didn't work for you. This script works fine for me (I get an MYOB page back?):

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

The second script had the same problem, I added an @, and it now works too:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

basiclife, this isn't what you suggested - there's no redirect happening here at all, nor should there be; It's really being a kind of dumb proxy.
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12010154
Sorry, you're quite right - I`was in a rush last night and just scanned the 1st few answers. Please excuse my overbearing asshole attitude :D
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12530411
Seems to me Squinky should get the points for this one
0
 

Author Comment

by:lnwright
ID: 12549633
Sorry forgot about this one.  Thanks for your comments guys.    I ended up not using this type of arrangement so I don't know which actually is the best but I will pick what I thought seemed the best answers.

Regards,


Lee.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question