Solved

most appropriate approach to linking two sites

Posted on 2014-04-03
16
1,617 Views
Last Modified: 2014-04-03
This type of thing is probably old-news for many folks, but outside my expertise.
We have a classic ASP website, and a customer has a PHP based website hosted on Amazon EC2.

We need to setup a mechanism whereby the PHP site can pass the ASP website an identifier which represents their request for the ASP site to do something.  Later (as in days) the ASP site will want to pass back that ID, plus a bit of extra text based data, to the PHP site. This to "link records" for all intents.

I can envision a very simple .php and .asp page that simply accepts querystring parameters and does the necessary database insertion. But that feels insecure to me (??)  If there is a VPN between the two servers, does that not matter? What is the appropriate way to set this up so that there is some degree of authentication involved so that if any old person were to type a url it wouldn't do anything?
0
Comment
Question by:PMH4514
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39975033
You're on the right track with querystrings, and you're right they can be unsecure.  By and large, you only have to worry if someone can see an example of the querystrings being passed back and forth.  Otherwise, it's unlikely anyone will know these pages even exist.

To sidestep anyone trying to manipulate the querystrings, you could encrypt the data being passed.  ROT13, or some other simple mechanism such as just swapping characters around would probably work fine.

Using a VPN would be another alternative, but would be overkill, IMO.
0
 
LVL 53

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 39975050
Think of it as setting up a webservice on either side.  In asp you are using xmlhttppost http://support.microsoft.com/kb/290591

<%@ Language=vbScript%>
<%
	DataToSend = "id=1"
	dim xmlhttp 
	set xmlhttp = server.Createobject("MSXML2.ServerXMLHTTP")
	xmlhttp.Open "POST","http://localhost/Receiver.asp",false
	xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	xmlhttp.send DataToSend
	Response.ContentType = "text/xml"
	Response.Write xmlhttp.responsexml.xml
        Set xmlhttp = nothing
%>

Open in new window


In php you are using CURL https://php.net/manual/en/curl.examples-basic.php

First, make sure you are only using https.  Even if you don't have a certificate, you can use https.   Then create some type of key so you know it is the server you expect and you can also use your server side code to detect the ip the request is coming from.

Let's say the php page posts  name, address, phone, email  password and a hash of the concatenated fields in a field called PhpHash.

On the asp end you would have
password="abc123"
ProcessData=0
AuthIP=xxx.xx.xx.xx
if request hash<>"" AND Request.ServerVariables("remote_addr")=AuthIP then
  name=request.form("name")
  address=request.form("address")
  phone=request.form("phone"
  email=request.form("email")
  PhpHash=request.form("PhpHash")
  ' set up test
  AspHash=SHA256(name&address&phone&email&password)
end if
if PhpHash=AspHash then ' we have good data
    ProcessData=1
end if

if ProcessData=1 then
    ' update your database
end if

Open in new window

0
 

Author Comment

by:PMH4514
ID: 39975101
Thanks Scott this looks like a good approach
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39975128
To clarify, by posting a password, I mean your own passcode or "salt" that you add to the concatenated data.  

I am doing this very thing myself so wordpress php can talk to a web app I have in asp.
0
 

Author Comment

by:PMH4514
ID: 39975147
is this salt something that both sides agree upon first, and then hide?
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39975230
Yes, both sides use the same password or salt.

The full password of course is the hashed concatenated field.  You don't have to use all fields, but at least 3 or 4 are good. Throwing in the current date or day is good too. Anything that helps avoid a pattern.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39975725
I agree with Scott. That's probably the easiest way to do things. Just to clarify one thing that he said, though:

Even if you don't have a certificate, you can use https.   

Open in new window


HTTPS does require a certificate, but I think what Scott was trying to say is that you can use a self-signed, free certificate. You don't need to buy a commercial certificate from a place like VeriSign just for this.
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39975787
>HTTPS does require a certificate,

Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

When you use https, your data is still encrypted.
0
 

Author Comment

by:PMH4514
ID: 39975990
both sides are already HTTPs with signed certificates.
Scott I'm not fully understanding the salt/password mechanism.  does each side have to first agree upon some hidden key and hash mechanism so that the request and some other password are hashed together, and then the other side uses the same salt to pull it back apart?
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39976073
Exactly.  Assume you use sha256 as your hash.  Assume your salt is the current date and the password, "eXpert"  To encode a first_name and last_name you would concatenate the two fields along with the date and password.    

myHash=sha256(first_name&last_name&formatdatetime(date,2)&"eXpert").

Notice I formatted the date to m/d/yyyy.  Since PHP and ASP may treat dates differently,  make sure the end result is m/d/yyyy or mm/dd/yyyy if you use the full date.  

Now myHash gets submitted to the php page with the rest of the data.  So you will want to grab each field posted individually on the php side (first_name and last_name), add the date and password in the same order and apply sha256.    Next, compare the myHash that was posted from the other server to the myHash you created on the receiving server.   If they match, you are good.  

When you process credit card transactions, you will see this same method used by some gateways.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39976623
Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

Just a final note for anyone else that comes across this thread - some servers will come with a default certificate installed. Turning on HTTPS without any changes may have it fall back to this default certificate, but a certificate is always required for HTTPS.
0
 

Author Comment

by:PMH4514
ID: 39976917
very interesting.

still confused though - if both sides are HTTPS, is plain text fine?  If not, if VPN between servers, is plain text fine? Or, is asking if plain text is fine just being lazy?
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39976953
Yes it is.  Based on what I have worked on it always just worked.  It's a good day when you get to learn one new good thing!
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39977067
gr8gonzo can probably answer the question about clear text vs vpn better than I can.  However, if you have ever worked with 3rd party api's or send credit card data to a gateway, the method I gave you is typical.  

The other benefit of setting up your own api like this is you can easily reuse it for something else.
0
 

Author Comment

by:PMH4514
ID: 39977092
I see, understood now. I like it!
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39977142
I'd almost always tell people to treat server VPNs as a last resort. VPNs are great for temporary access to a network, but keeping them active all the time is a pain. Most need to refresh at points and that can interrupt things, so a VPN is not usually a good thing to rely on to be active all the time.

Clear text is probably fine if you're using SSL. There's no harm in encrypting things further so if one security layer is breached, you have a fallback. It's just up to you and what data you're trying to secure. The more sensitive the data, the more you'll want to protect it.

Most security standards like PCI DSS don't require more than one layer of encryption on the data, but it's not a bad idea if you can afford to implement it.
0

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To properly understand GitHub, let’s divide it into two words ‘Git’ and ‘Hub’. Git is basically a ‘Distribution Version Control’ (DVC) and ‘Source Code Management’ (SCM) system widely used by software programmers while Hub means the efficient centre…
Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL several years ago, it seemed like now was a good time to update it for object-oriented PHP.  This article does that, replacing as much as possible the pr…
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question