Solved

POST vs GET 500 points - Urgent!

Posted on 2006-11-17
18
278 Views
Last Modified: 2013-12-12
Hi experts,

I have an application that our users must log into (Main CMS)

I also have an application that manages their photos with a separate login form. (Photo Upload App)

Ideally once the user has logged into the main CMS they should not have to re-login to the Photo Upload App.

I can set it so both passwords are the same *however* how do i link to the second app from within the first app if
the second app only accepts variables in POST format..

I'm thinking i may have to create another login form within the Main CMS but there must be a way around this?

If it was GET i could merely link to /apps/myphotoapp/processlogin.php?user=username&pass=password but obviously this isnt very secure..

Is there a way of passing variables to the 2nd app in a POST manner but without using a form to do so?

Thanks
0
Comment
Question by:moconn
  • 6
  • 4
  • 4
  • +3
18 Comments
 
LVL 28

Assisted Solution

by:gamebits
gamebits earned 20 total points
ID: 17969728
Set the login variables in a cookie or even better a session and with the second app access the cookie or session and read the login variables.

Gamebits
0
 
LVL 10

Assisted Solution

by:kshitij_ahuja
kshitij_ahuja earned 110 total points
ID: 17970779
Well, gamebis rightly said. Use Sessions for this purpose. When  the user is about to leave app1, assign a value to a session variable that you can use to authorize the user on the app2.

Suppose user is on app1 page. When he calls the app2 page, you can retrieve the user name and pass for app2 from the db and assign it to a new session variable that you are gonna use for authorization on app2.

ALSO if suppose you dnt want user to get back to  main CMS by first login into app2 (means reverse entry, that is from app2 to app1) you can unset the main cms session variable when user leaves the app1 for app2.

Hope this makes sense :)

-k-

0
 
LVL 11

Assisted Solution

by:Dany Balian
Dany Balian earned 70 total points
ID: 17971599
how do u jump from one application to another??? if it forms??

then u can post the first page (the first login) to ur login page
in the login page, u see if the username/password are correct... and u create a form that is hidden and u post it with javascript

sthg like:

if (login==1)
{
echo '<form name="form2" action="uploadpage.asp" method="post"><input type="hidden" name="variablename" value="' . $username . '"></form>';
echo '<script language="javascript">document.form2.submit();</script>
}

hope this helps

dan
0
 
LVL 10

Accepted Solution

by:
kshitij_ahuja earned 110 total points
ID: 17973503
dan,

Just to make it a point, javascript may be disabled and in many cases users wont really know that the disabled js could be hampering their authorization.

0
 
LVL 11

Assisted Solution

by:Dany Balian
Dany Balian earned 70 total points
ID: 17974147
but sessions do not fix the problem here...
he needs to login, and to repost to another form!!

the other alternative would be to post all fields to the same form (the second one) and from there get each data on its own sql... and handle that data!! (this is valid if he has access to the code of the other page)

and i definitely do not recommend that u post ur form in a get method when u have username/password in the data!!

unless u can encrypt or decrypt the data!!

hope this helps...

Dan
0
 

Author Comment

by:moconn
ID: 17974518

Hi guys,

Thanks for the suggestions..

Dany, can you give an example of what you mean by post all fields to the same form?

I could potentially write the username and password to the session upon first login and then just link to the landing page of the photo upload app and perhaps tweak that to check if the session is set , if so give access if not display error..

Bit of a nuisance, but if that's the only way..

Will try it and award points if / when i get it working..

Cheers
0
 
LVL 10

Assisted Solution

by:kshitij_ahuja
kshitij_ahuja earned 110 total points
ID: 17974669
For mrdany

>> but sessions do not fix the problem here...
he needs to login, and to repost to another form!!

It do fix the problem. Only a close look is needed. Let me explain you.

When a user is logged in to app1, and wants to use app2, one way (which questioner doesnt want to use) is to let the user login in again using the a new form for the app2.

Just for a sec if i suppose the user is forced to use the second login form, what  will happen after the second form is successfully submitted. Probably the user is authorize if his values are correct. Rgiht ! Now what we are advocating is the use of sessions once the autorization is complete from the database.

Now as you (mrdany) said, this is not going to fix the problem. Consider it more closely. When the app1 is beign used by the authorized user and he requests the page from the app2,  what if we just call the corrosponding login info for this user(who is already logged into app1) and create a new session for app2. We wnt need another form to submit and then authorize user and then create a session. We are directly skipping from one session to another by creating the new session using the older session's valid information.
AND this is very much extensible to as many new modules/apps you want to add to any existing project.

>> the other alternative would be to post all fields to the same form (the second one) and from there get each data on its own sql... and handle that data!! (this is valid if he has access to the code of the other page)

I think the asker is asking this only. Hes asking "How-to" post in this way. :)

>> and i definitely do not recommend that u post ur form in a get method when u have username/password in the data!!

Same here. None of the experts would recommend passing values of sensitive data like login information using GET even though high encryption methods are used.

I hope this much is clear.

moconn,
if you like this method, i can explain you more clearly again on how to use this  including password protecting you app1 with sessions (if you dnt use them currently)

-k-
0
 

Author Comment

by:moconn
ID: 17975771

Hi kshitij,

Your method sounds like it has potential..

Could you explain a bit further pls?

Thanks
0
 
LVL 10

Expert Comment

by:kshitij_ahuja
ID: 17977103
Sure moconn,

Here i go !

First is that i am assuming following things for the method i am explaining here:

1. You have two different modules/applications app1 and app2.
2. You use sessions for app1.
3. You want to authorize user to app2 when is already logged into app1 WITHOUT   letting him submit the login form for app2.

Solution:

When u let user log into app1, you probably authorize by checking the login information with those in the db. When it comes out to be true, you probably create a session to keep him authorized throught the app1. Lets say this session variable is  called $_SESSION['App1_login'].  If you dnt use sessions here, then let me know i ll tell you that how to do this.

Now when user is logged into app1 and suddenly he requests a page or section of app2, you want him to access the app2 only if he is an authorised user for app2. Instead of asking him to fill the login form and submit again for authorization you can retrieve the values of his login (for app2) using the info you have in the session variable you created when the user logged into app1, that is $_SESSION['App1_login'].

Retrieve the common info in both tables that store login info for both apps which can be used to link the same user in two different tables with same account.

Like you may have a unique user "account code/id" in the form of a set of digits that is assigned to the user when he creates an account. This "unique" user acct code can be used to link the two tables of app1 and app2 login with the same user. That way, when u have the $_SESSION['App1Login'] variable set, you can retrieve the user account code for the user whos login is this and then use this account code to find the user in table2 for app2. There when u find the login valid, you can create another session that will authorize the user throught the app2, and if the login  is not found in the table2, just display the message that the user is not authorized or that its an invalid login.

Is that clear now?

-k-
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Assisted Solution

by:nelwa
nelwa earned 300 total points
ID: 17986902
Hi,

Or you could use CURL to POST the values to the second script like so:

     $request                        = "";
     $param["username"]              = "user";
     $param["password"]              = "pass";
     foreach($param as $key=>$val)
     {
       $request.= $key."=".urlencode($val);
       $request.= "&";
     }
     $request = substr($request, 0, strlen($request)-1); //remove last &
     $url = "http://yournewscripturl.com";
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url); //set the url
     curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); //return as a variable
     curl_setopt($ch, CURLOPT_POST, 1); //set POST method
     curl_setopt($ch, CURLOPT_POSTFIELDS, $request); //set the POST variables
     $response = curl_exec($ch); //run the whole process and return the response
     curl_close($ch); //close the curl handle

     //you can do some testing here with the response, to see whether the login was successful, etc.
     if ($response == 'success') {
           header("location: http://loginsuccess.com");
     } else {
           header("location: http://loginfailed.com");
     }

hope this helps...
0
 

Author Comment

by:moconn
ID: 17987518

Hi newla,

Thanks for the CURL method, seems to be the most elegant approach without having to start including sessions
in the photo app.

I keep getting login failed though.. This is the login form for the photo app (zen photo)

function printLoginForm($redirect="/zen/admin.php") {
  global $error;
 
  echo "<p><img src=\"../zen/images/zen-logo.gif\" title=\"Zen Photo\" /></p>";
 
  echo "\n  <div id=\"loginform\">";
  if ($error) {
    echo "<div class=\"errorbox\" id=\"message\"><h2>There was an error logging in.</h2> Check your username and password and try again.</h2></div>";
  }
  echo "\n  <form name=\"login\" action=\"#\" method=\"POST\">";
  echo "\n    <input type=\"hidden\" name=\"login\" value=\"1\" />";
  echo "\n    <input type=\"hidden\" name=\"redirect\" value=\"$redirect\" />";
 
  echo "\n    <table>";
  echo "\n      <tr><td>Login</td><td><input class=\"textfield\" name=\"user\" type=\"text\" size=\"20\" /></td></tr>";
  echo "\n      <tr><td>Password</td><td><input class=\"textfield\" name=\"pass\" type=\"password\" size=\"20\" /></td></tr>";
  echo "\n      <tr><td colspan=\"2\"><input class=\"button\" type=\"submit\" value=\"Log in\" /></td></tr>";
  echo "\n    </table>";
  echo "\n  </form>";
  echo "\n  </div>";
  echo "\n</body>";
  echo "\n</html>";
}

and this is the test script i just wrote incorporating your code..

<?
       $request                        = "";
     $param["user"]                               = "myusername";
     $param["pass"]                               = "mypassword";
       $param["login"]                         = "1";
       $param["redirect"]                         = "/zen/admin.php";
     
       foreach($param as $key=>$val)
     {
       $request.= $key."=".urlencode($val);
       $request.= "&";
     }
     $request = substr($request, 0, strlen($request)-1); //remove last &
     $url = "http://www.mysite.com/mmcs/photos/company1/zen/admin.php";
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url); //set the url
     curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); //return as a variable
     curl_setopt($ch, CURLOPT_POST, 1); //set POST method
     curl_setopt($ch, CURLOPT_POSTFIELDS, $request); //set the POST variables
     $response = curl_exec($ch); //run the whole process and return the response
     curl_close($ch); //close the curl handle

     //you can do some testing here with the response, to see whether the login was successful, etc.
     if ($response == 'success') {
           header("location: http://www.mysite.com/ya.html");
     } else {
           header("location: http://www.mysite.com/nichnich.html");
     }
?>

Anything jumping out at you that i'm doing wrong?

Cheers
0
 
LVL 1

Expert Comment

by:nelwa
ID: 17987650
Hi,

You need to show me the code where you process the login, that's also where you should post the CURL vars to

Regards
0
 

Author Comment

by:moconn
ID: 17987698

Ok, this snippet of code is from auth_zp.php which appears to validate the form..

This script is called by classes.php which is called throughout the program..

else {
  // Handle the login form.
  if (isset($_POST['login']) && isset($_POST['user']) && isset($_POST['pass'])) {
    $user = $_POST['user'];
    $pass = $_POST['pass'];
    $redirect = $_POST['redirect'];
    if ($user == zp_conf("adminuser") && $pass == zp_conf("adminpass")) {
      // Correct auth info. Set the cookie.
      setcookie("zenphoto_auth", md5($user.$pass), time()+5184000, $cookiepath);
      header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . WEBPATH . $redirect);
      $_zp_loggedin = true;
    } else {
      // Clear the cookie, just in case
      setcookie("zenphoto_auth", "", time()-368000, $cookiepath);
      $error = true;
    }
  }

If it makes it easier to trace you can get the app here:
http://www.zenphoto.org/files/zenphoto-1.0.3.zip

Thanks again..


0
 
LVL 1

Expert Comment

by:nelwa
ID: 17987937
nope, I can't see anything wrong with that - maybe it's something very small... try echo'ing the value's you get from the post request and check everything step by step until you find the error...

best of luck to you!
0
 

Author Comment

by:moconn
ID: 17988214

Ok,

When i echo out the request i get:

user=mickoc&pass=mmcs&login=1&redirect=%2Fzen%2Fadmin.php

Is it possible that the '%2' string needs to be replaced with '/'

As an aside I tried this..

http://www.mysite.com/mmcs/photos/company1/zen/admin.php?user=mickoc&pass=mmcs&login=1&redirect=/zen/admin.php

And i was logged in fine.. strange when it's looking for a POST request...

0
 
LVL 1

Expert Comment

by:nelwa
ID: 17993679
ok, it is this section that's causing the url to be encoded:

foreach($param as $key=>$val)
     {
       $request.= $key."=".urlencode($val);
       $request.= "&";
     }

change it to:

foreach($param as $key=>$val)
     {
       $request.= $key."=".$val;
       $request.= "&";
     }

and it should work...
0
 
LVL 8

Expert Comment

by:jk2001
ID: 18001049
You probably don't want this advice: replace the user account back-end of the photo app.  Make it plugabble, and write a plugin to work with your cms.

I've tried post, as well as syncrhonizing logins, and while they both can work, it's not as good as real pluggable authentication, and it takes about the same amount of effort (which is a lot of effort).

The only "simple" solution I've ever used is using javascript to submit the form.  That one works surprisingly well, and generally works better than hacks to merge apps together using cleverness and voodoo.
0
 

Author Comment

by:moconn
ID: 18045455

I am splitting points on this one..

nelwa's answer was most helpful in that it didnt solve the problem but put me on the right track.

For anyone who's interested the solution is here:
http://www.zenphoto.org/support/topic.php?id=954&replies=5

Thanks for all your help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now