We help IT Professionals succeed at work.

copy content of the "userid" field

loopax
loopax asked
on
293 Views
Last Modified: 2008-02-26
Hi, I have 2 html pages, the first page(http://www.example.com/page1.html) on my website is using this php code and then goes to www.page2.com:
<?
  $userid = $_POST['userid'] ;
  $pass = $_POST['pass'] ;
   header( "Location: http://www.members.com/page2.html" );
?>
If the user complete the steps and the password is incorrect he will be redirected to another page hosted on a different domain but has the same form and same fields eg: http://www.members.com/page2.html (different domain)
How do I make that the input from userid field (from the first page) to be automatically filled in the second page on the userid field there after error ocured?
Comment
Watch Question

Add the variables into the URL of the header() function [ http://www.members.com/page2.html?userid=xxx&pass=yyy], and then access the variables in the $_GET[] array
CERTIFIED EXPERT
Top Expert 2004

Commented:
Oh my...I wouldn't do that.  That exposes the userid and password on the URL, which could compromise your system.  Suppose someone is standing behind me as I log in, but I mistype my password.  The plain-text typo would be visible in the URL after the first attempt.  Granted, it isn't my real password, but it could serve as the base platform from which to launch brute-force or dictionary attack.  

A better option would be to use a session variable.  That should allow the server to track the information, and keep it hidden from prying eyes.

With either option, be aware of the possibilities for attack using this as a vector.  As always, make sure you properly encode (real_escape_string() or htmlentities()) the data before displaying or hitting a database.

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Security will be an issue; but it can be "solved" easily by simply hashing the username and password.

Will sessions work accross different domains - never tried it before?
CERTIFIED EXPERT
Top Expert 2004

Commented:
>>> Will sessions work accross different domains - never tried it before?

Not unless the two domains have a way to sync 'em up.  For that, you'd use the method found in frin's link.  It uses a thunker to recreate a form post to the site, grab the session cookie, then forward the client there with that session id.  Even so, that only works if the remote site allows sessions in the URLs.

I suppose hashing the postvars (frin's link has an example of that also, btw) would provide the necessary security, but I'm naturally wary of any information being posted to the URL.  I conceded using it for page index variables and search terms after a long fight, but I still wouldn't use it for anything 'important' like authentication tokens.

@loopax: do you control the remote domain whose form you need to populate?  If so, by what mechanism does it populate the fields on its own?  If not, this may not even be an option for you.

Author

Commented:
@routinet , I control only the first domain
CERTIFIED EXPERT
Top Expert 2004

Commented:
Definitely take a look at frin's link...that might be the only this could happen.  Since you don't control the other domain, you can not make it do anything.  But if you know how it works, you can take advantage of that knowledge to build something seamless.

Just so you know, the example in that link is essentially a session hijack done on purpose.  Your server starts a session by posting the form fields to the remote.  It receives back a session id, which it then passes to your client in the form of a redirection URL.  The session id appears in the URL - this method is seamless, but not transparent, and it does present its own vulnerabilities.

Author

Commented:
Ok, I manage to do something I think, It seems that I can use the header location like this :
header( "Location: http://www.site_registered_to?&userid=$userid&pass=$pass");
The problem now seems to be the cookie, because I am getting browser rejecting cookies error after trying to submit. What I saw is that there if u try to log in normally to the second site using their forms but with any userid and pass even incorrect ones, and right after the error you go and use your forms and try to log in from there it works! So practically you have their cookie which can be used to log in anytime ? What can be done about this ? I was thinking to do somehow to get that login error first(on the second domain to get the cookie) then try to submit the form from my domain.
I want to do it using most simple method no matter security, because I am like a beginer in php js etc.. any ideeas? Thanks

Author

Commented:
I'll write a new question because I think the part I needed i solved and now is the cookie part which I need to get solved. Thanks for help everyone

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.