Solved

Web Intranet Corporate Auto Login using existing user information

Posted on 2009-05-13
5
1,166 Views
Last Modified: 2013-12-19
I am building an intranet for a client using Apache, PHP and Zend Framework. They have a corporate network with roaming profiles and active directory. The intranet will only be accessible from inside the network and not externally. They use IE7 only.

What they want is to automatically authenticate by knowing the current user. They do not want to have to log in a second time.

I know I can query the LDAP Active Directory server and authenticate with the same username and password but they specifically do not want to log in again.

I do not think this is possible, how can a PHP script know what the current user is? Hopefully someone can tell me different.

Is there some Active X module that will add the username to the $_SERVER or similar? All I need to get to authorise is the username because the site is only accessible internally and everyone that access the http server has to be logged on and authenticated with the network.

Any ideas?

If all else fails I will authenticate with the LDAP server and just have a cookie but if I could do it it would be awesome.

Thanks.

0
Comment
Question by:stmayes
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
webwyzsystems earned 500 total points
ID: 24376140
How about javascript creating an activex? Will that work for you?

<SCRIPT>
var wshshell=new ActiveXObject("wscript.shell");
var username=wshshell.ExpandEnvironmentStrings("%username%");
alert (username);
</SCRIPT>

You'll need to have each workstation adjust their security settings....
0
 

Author Comment

by:stmayes
ID: 24376325
I thought that this sort of functionality was available but I have never explored it. Can you comment more? I tried the attached code in IE6 and it just bugged out (I don't think the object is being created) and did nothing. Can you suggest any threads or online resources for me? I have no experience on Windows and come from a Mac and *nix background.

Thanks
0
 

Author Comment

by:stmayes
ID: 24376543
Just disabled all security and got the JS to work. What is the minimum security required how do I prompt to "trust" the site? I can get their sys admin to add the site the roaming profiles.

Can anyone see this as a security problem? If I was to do an ajax request on the site home page posting the username to my script for authentication? I would like to limit my script and say it must be refered via my homepage to prefent hacking using the $_SERVER['HTTP_REFERER']. However I know that his can be hacked very easily.

Can anyone suggest an improvement to this model??
0
 
LVL 10

Expert Comment

by:webwyzsystems
ID: 24378946
Why prompt? IF you are Active directory, then add a policy to trust. See this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22590528.html

IMPROVEMENTS
Your primary risk will be from a "trusted" user, who injects his own values for the javascript - perhaps by frame or iframe injection.
A home page redirect might be an idea. When they pull up your home page, it would go to a page, get the logged in username silently, then redirect to your "real" home page. On this page, you can also trap for failure, referrer, whatever you wish. If username is undefined then popup an alert saying "This page needs to be added to your trusted sites zone.".

And of course its always a good idea to use php sessions on your site, rather than passing sensive variables with POST or GET.
0
 

Author Comment

by:stmayes
ID: 24382712
Thanks.

Re "Why Post?": I'd have to make the POST once to get the var from the JS into the PHP and then I would then use Zend_Auth, Zend_Acl & Zend_Session to manage access control from then on.

If I have a blank home page with only an  AJAX (jQuery) call:
$('#myDiv').load('/auth/login/', {'username': username, 'type': 'renderHomepage'});

Then on '/auth/login' do the authentication and return a response.

Also for added security (albeit it is easy to hack), in order to excute '/auth/login', the $_SERVER['HTTP_REFERER'] must be '/auth/login'.

Is this solution still exposed to any code injection??
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
The viewer will learn how to dynamically set the form action using jQuery.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now