Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1650
  • Last Modified:

most appropriate approach to linking two sites

This type of thing is probably old-news for many folks, but outside my expertise.
We have a classic ASP website, and a customer has a PHP based website hosted on Amazon EC2.

We need to setup a mechanism whereby the PHP site can pass the ASP website an identifier which represents their request for the ASP site to do something.  Later (as in days) the ASP site will want to pass back that ID, plus a bit of extra text based data, to the PHP site. This to "link records" for all intents.

I can envision a very simple .php and .asp page that simply accepts querystring parameters and does the necessary database insertion. But that feels insecure to me (??)  If there is a VPN between the two servers, does that not matter? What is the appropriate way to set this up so that there is some degree of authentication involved so that if any old person were to type a url it wouldn't do anything?
0
PMH4514
Asked:
PMH4514
  • 7
  • 5
  • 3
  • +1
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
You're on the right track with querystrings, and you're right they can be unsecure.  By and large, you only have to worry if someone can see an example of the querystrings being passed back and forth.  Otherwise, it's unlikely anyone will know these pages even exist.

To sidestep anyone trying to manipulate the querystrings, you could encrypt the data being passed.  ROT13, or some other simple mechanism such as just swapping characters around would probably work fine.

Using a VPN would be another alternative, but would be overkill, IMO.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Think of it as setting up a webservice on either side.  In asp you are using xmlhttppost http://support.microsoft.com/kb/290591

<%@ Language=vbScript%>
<%
	DataToSend = "id=1"
	dim xmlhttp 
	set xmlhttp = server.Createobject("MSXML2.ServerXMLHTTP")
	xmlhttp.Open "POST","http://localhost/Receiver.asp",false
	xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	xmlhttp.send DataToSend
	Response.ContentType = "text/xml"
	Response.Write xmlhttp.responsexml.xml
        Set xmlhttp = nothing
%>

Open in new window


In php you are using CURL https://php.net/manual/en/curl.examples-basic.php

First, make sure you are only using https.  Even if you don't have a certificate, you can use https.   Then create some type of key so you know it is the server you expect and you can also use your server side code to detect the ip the request is coming from.

Let's say the php page posts  name, address, phone, email  password and a hash of the concatenated fields in a field called PhpHash.

On the asp end you would have
password="abc123"
ProcessData=0
AuthIP=xxx.xx.xx.xx
if request hash<>"" AND Request.ServerVariables("remote_addr")=AuthIP then
  name=request.form("name")
  address=request.form("address")
  phone=request.form("phone"
  email=request.form("email")
  PhpHash=request.form("PhpHash")
  ' set up test
  AspHash=SHA256(name&address&phone&email&password)
end if
if PhpHash=AspHash then ' we have good data
    ProcessData=1
end if

if ProcessData=1 then
    ' update your database
end if

Open in new window

0
 
PMH4514Author Commented:
Thanks Scott this looks like a good approach
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
To clarify, by posting a password, I mean your own passcode or "salt" that you add to the concatenated data.  

I am doing this very thing myself so wordpress php can talk to a web app I have in asp.
0
 
PMH4514Author Commented:
is this salt something that both sides agree upon first, and then hide?
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Yes, both sides use the same password or salt.

The full password of course is the hashed concatenated field.  You don't have to use all fields, but at least 3 or 4 are good. Throwing in the current date or day is good too. Anything that helps avoid a pattern.
0
 
gr8gonzoConsultantCommented:
I agree with Scott. That's probably the easiest way to do things. Just to clarify one thing that he said, though:

Even if you don't have a certificate, you can use https.   

Open in new window


HTTPS does require a certificate, but I think what Scott was trying to say is that you can use a self-signed, free certificate. You don't need to buy a commercial certificate from a place like VeriSign just for this.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
>HTTPS does require a certificate,

Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

When you use https, your data is still encrypted.
0
 
PMH4514Author Commented:
both sides are already HTTPs with signed certificates.
Scott I'm not fully understanding the salt/password mechanism.  does each side have to first agree upon some hidden key and hash mechanism so that the request and some other password are hashed together, and then the other side uses the same salt to pull it back apart?
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Exactly.  Assume you use sha256 as your hash.  Assume your salt is the current date and the password, "eXpert"  To encode a first_name and last_name you would concatenate the two fields along with the date and password.    

myHash=sha256(first_name&last_name&formatdatetime(date,2)&"eXpert").

Notice I formatted the date to m/d/yyyy.  Since PHP and ASP may treat dates differently,  make sure the end result is m/d/yyyy or mm/dd/yyyy if you use the full date.  

Now myHash gets submitted to the php page with the rest of the data.  So you will want to grab each field posted individually on the php side (first_name and last_name), add the date and password in the same order and apply sha256.    Next, compare the myHash that was posted from the other server to the myHash you created on the receiving server.   If they match, you are good.  

When you process credit card transactions, you will see this same method used by some gateways.
0
 
gr8gonzoConsultantCommented:
Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

Just a final note for anyone else that comes across this thread - some servers will come with a default certificate installed. Turning on HTTPS without any changes may have it fall back to this default certificate, but a certificate is always required for HTTPS.
0
 
PMH4514Author Commented:
very interesting.

still confused though - if both sides are HTTPS, is plain text fine?  If not, if VPN between servers, is plain text fine? Or, is asking if plain text is fine just being lazy?
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Yes it is.  Based on what I have worked on it always just worked.  It's a good day when you get to learn one new good thing!
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
gr8gonzo can probably answer the question about clear text vs vpn better than I can.  However, if you have ever worked with 3rd party api's or send credit card data to a gateway, the method I gave you is typical.  

The other benefit of setting up your own api like this is you can easily reuse it for something else.
0
 
PMH4514Author Commented:
I see, understood now. I like it!
0
 
gr8gonzoConsultantCommented:
I'd almost always tell people to treat server VPNs as a last resort. VPNs are great for temporary access to a network, but keeping them active all the time is a pain. Most need to refresh at points and that can interrupt things, so a VPN is not usually a good thing to rely on to be active all the time.

Clear text is probably fine if you're using SSL. There's no harm in encrypting things further so if one security layer is breached, you have a fallback. It's just up to you and what data you're trying to secure. The more sensitive the data, the more you'll want to protect it.

Most security standards like PCI DSS don't require more than one layer of encryption on the data, but it's not a bad idea if you can afford to implement it.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now