Solved

Sending Password

Posted on 2004-09-05
18
204 Views
Last Modified: 2010-07-27
Dear Experts,

Is it possible for PHP to securely send the current user's user name and password to another web site?    If so,  how is this done?

Thanks,


Lee.
0
Comment
Question by:lnwright
  • 6
  • 4
  • 4
  • +1
18 Comments
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 100 total points
ID: 11986510
Are you using a standard login? and is the server you're connecting to capable of SSL?

If it's normal authentication, you can redirect them using https://username:password@somedomain.com or by using https://somedmoain.com/somescript?un=username&pw=password

because the connection is secure BEFORE the GET data is sent, it should be sent in an encrypted form. I've never tried this before, so I'll await other experts opinions before guaranteeing anything
0
 
LVL 1

Assisted Solution

by:f0rdmstang
f0rdmstang earned 100 total points
ID: 11986531
What  try of function are you using this for ?  

If your using some type of database such as MySQL you can have your script connect to the remote computers by using it's domain name or IP address considering the right permissions are granted.
0
 

Author Comment

by:lnwright
ID: 11986662
Thanks basiclife & f0rdmstang,

At this stage it looks like both sites will be https.    It is not a database just PHP.

Lee.
0
 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986741
I know in the past I've called or redirected someto to https sites and also passed things such as Credit Card info.  Make you script and include your info in a url.


base url :  https://www.yourdomain.com/scripts-dir/myscript.php
info to pass
user:   myuser
pass:   MyPassword123

final url = ?

https://www.yourdomain.com/scripts-dir/myscript.php?username=myuser&pass=MyPassword123

Then in the myscript.php reference the user or pass as $HTTP_GET_VARS['username'] or $HTTP_GET_VARS['pass'].  One thing you could always do it encrypt the password with md5 and only pass that password to the https url

Hope that helps
0
 

Author Comment

by:lnwright
ID: 11986863
I am just wondering with passing the username and password through a URL,  if the browser will remember it in it's history and therefore possibly reveal it to other users
0
 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986896
Your browser shouldn't remember https urls if I remember correctly.  You could also call a url from your Script rather than from the url the user sees.  This code is not verified so i don't know if it woks but I know I use to the the equivelent in Perl

include('http://www.google.com');
0
 
LVL 25

Accepted Solution

by:
Squinky earned 100 total points
ID: 11988296
Use file_get_contents or CURL to query the other server, not include. Include will not fail gracefully if the connection cannot be made.

The browser will never see the remote URL (it passes server-server, not server-client-server like a redirect), so it will never be stored in the browser history.
0
 

Author Comment

by:lnwright
ID: 11988314
Thanks Squinky,

I am a newbie to PHP so can you give a little more detail?

Regards,


Lee.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 25

Expert Comment

by:Squinky
ID: 11988424
Build the URL something like f0rdmustang suggests, then retrieve the contents of the page by saying:

$page = file_get_contents($url);

$page now contains whatever the URL returned to you. You can send this back to the original user by just saying:

header('Content-type: text/html');
echo($page);

Or alternatively, just pass the results straight from the server to the client by using:

readfile($url);

The upshot of this is that the client will see the pages from the remote server, but at the URL of your server.

Incidentally, normal syntax for a URL containing id and password handled by HTTP is:

https://user:password@www.example.com/index.php
0
 

Author Comment

by:lnwright
ID: 11988526
Thanks again Squinky,

Can I trouble you for a simple php code example.   I have set up a protected directory here:

https://aus.unlimited-space.com/~onlineac/test/

the username is "experts" and the pass is "exchange"

Thanks.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 11990748
<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

Alternatively if you just want to pass the page through untouched:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

Note that while you've retrieved this page over SSL, the link back to the client may not be secure.
0
 

Author Comment

by:lnwright
ID: 11992179
Thanks Squinky,

With the first one I get this error:

Warning: file_get_contents(https://experts:exchangeaus.unlimited-space.com/~onlineac/test/): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\wwwroot\reports\PassUserAndPassword.php:1) in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 7

I tried adding @ after the pass but still error

For the second I get this:

Warning: readfile(https://...@aus.unlimited-space.com/~onlineac/test/index.htm): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Can you please advise.

0
 
LVL 5

Expert Comment

by:basiclife
ID: 11993251
As far as I can tell. everyone agrees with me. Post additional comments if you have any problems
0
 
LVL 25

Expert Comment

by:Squinky
ID: 11995020
It is just missing the @ - I don't know why putting it in didn't work for you. This script works fine for me (I get an MYOB page back?):

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

The second script had the same problem, I added an @, and it now works too:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

basiclife, this isn't what you suggested - there's no redirect happening here at all, nor should there be; It's really being a kind of dumb proxy.
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12010154
Sorry, you're quite right - I`was in a rush last night and just scanned the 1st few answers. Please excuse my overbearing asshole attitude :D
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12530411
Seems to me Squinky should get the points for this one
0
 

Author Comment

by:lnwright
ID: 12549633
Sorry forgot about this one.  Thanks for your comments guys.    I ended up not using this type of arrangement so I don't know which actually is the best but I will pick what I thought seemed the best answers.

Regards,


Lee.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
This article discusses four methods for overlaying images in a container on a web page
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now