Solved

most appropriate approach to linking two sites

Posted on 2014-04-03
16
1,550 Views
Last Modified: 2014-04-03
This type of thing is probably old-news for many folks, but outside my expertise.
We have a classic ASP website, and a customer has a PHP based website hosted on Amazon EC2.

We need to setup a mechanism whereby the PHP site can pass the ASP website an identifier which represents their request for the ASP site to do something.  Later (as in days) the ASP site will want to pass back that ID, plus a bit of extra text based data, to the PHP site. This to "link records" for all intents.

I can envision a very simple .php and .asp page that simply accepts querystring parameters and does the necessary database insertion. But that feels insecure to me (??)  If there is a VPN between the two servers, does that not matter? What is the appropriate way to set this up so that there is some degree of authentication involved so that if any old person were to type a url it wouldn't do anything?
0
Comment
Question by:PMH4514
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
You're on the right track with querystrings, and you're right they can be unsecure.  By and large, you only have to worry if someone can see an example of the querystrings being passed back and forth.  Otherwise, it's unlikely anyone will know these pages even exist.

To sidestep anyone trying to manipulate the querystrings, you could encrypt the data being passed.  ROT13, or some other simple mechanism such as just swapping characters around would probably work fine.

Using a VPN would be another alternative, but would be overkill, IMO.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
Comment Utility
Think of it as setting up a webservice on either side.  In asp you are using xmlhttppost http://support.microsoft.com/kb/290591

<%@ Language=vbScript%>
<%
	DataToSend = "id=1"
	dim xmlhttp 
	set xmlhttp = server.Createobject("MSXML2.ServerXMLHTTP")
	xmlhttp.Open "POST","http://localhost/Receiver.asp",false
	xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	xmlhttp.send DataToSend
	Response.ContentType = "text/xml"
	Response.Write xmlhttp.responsexml.xml
        Set xmlhttp = nothing
%>

Open in new window


In php you are using CURL https://php.net/manual/en/curl.examples-basic.php

First, make sure you are only using https.  Even if you don't have a certificate, you can use https.   Then create some type of key so you know it is the server you expect and you can also use your server side code to detect the ip the request is coming from.

Let's say the php page posts  name, address, phone, email  password and a hash of the concatenated fields in a field called PhpHash.

On the asp end you would have
password="abc123"
ProcessData=0
AuthIP=xxx.xx.xx.xx
if request hash<>"" AND Request.ServerVariables("remote_addr")=AuthIP then
  name=request.form("name")
  address=request.form("address")
  phone=request.form("phone"
  email=request.form("email")
  PhpHash=request.form("PhpHash")
  ' set up test
  AspHash=SHA256(name&address&phone&email&password)
end if
if PhpHash=AspHash then ' we have good data
    ProcessData=1
end if

if ProcessData=1 then
    ' update your database
end if

Open in new window

0
 

Author Comment

by:PMH4514
Comment Utility
Thanks Scott this looks like a good approach
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
To clarify, by posting a password, I mean your own passcode or "salt" that you add to the concatenated data.  

I am doing this very thing myself so wordpress php can talk to a web app I have in asp.
0
 

Author Comment

by:PMH4514
Comment Utility
is this salt something that both sides agree upon first, and then hide?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
Yes, both sides use the same password or salt.

The full password of course is the hashed concatenated field.  You don't have to use all fields, but at least 3 or 4 are good. Throwing in the current date or day is good too. Anything that helps avoid a pattern.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
I agree with Scott. That's probably the easiest way to do things. Just to clarify one thing that he said, though:

Even if you don't have a certificate, you can use https.   

Open in new window


HTTPS does require a certificate, but I think what Scott was trying to say is that you can use a self-signed, free certificate. You don't need to buy a commercial certificate from a place like VeriSign just for this.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
>HTTPS does require a certificate,

Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

When you use https, your data is still encrypted.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:PMH4514
Comment Utility
both sides are already HTTPs with signed certificates.
Scott I'm not fully understanding the salt/password mechanism.  does each side have to first agree upon some hidden key and hash mechanism so that the request and some other password are hashed together, and then the other side uses the same salt to pull it back apart?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
Exactly.  Assume you use sha256 as your hash.  Assume your salt is the current date and the password, "eXpert"  To encode a first_name and last_name you would concatenate the two fields along with the date and password.    

myHash=sha256(first_name&last_name&formatdatetime(date,2)&"eXpert").

Notice I formatted the date to m/d/yyyy.  Since PHP and ASP may treat dates differently,  make sure the end result is m/d/yyyy or mm/dd/yyyy if you use the full date.  

Now myHash gets submitted to the php page with the rest of the data.  So you will want to grab each field posted individually on the php side (first_name and last_name), add the date and password in the same order and apply sha256.    Next, compare the myHash that was posted from the other server to the myHash you created on the receiving server.   If they match, you are good.  

When you process credit card transactions, you will see this same method used by some gateways.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

Just a final note for anyone else that comes across this thread - some servers will come with a default certificate installed. Turning on HTTPS without any changes may have it fall back to this default certificate, but a certificate is always required for HTTPS.
0
 

Author Comment

by:PMH4514
Comment Utility
very interesting.

still confused though - if both sides are HTTPS, is plain text fine?  If not, if VPN between servers, is plain text fine? Or, is asking if plain text is fine just being lazy?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
Yes it is.  Based on what I have worked on it always just worked.  It's a good day when you get to learn one new good thing!
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
gr8gonzo can probably answer the question about clear text vs vpn better than I can.  However, if you have ever worked with 3rd party api's or send credit card data to a gateway, the method I gave you is typical.  

The other benefit of setting up your own api like this is you can easily reuse it for something else.
0
 

Author Comment

by:PMH4514
Comment Utility
I see, understood now. I like it!
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
I'd almost always tell people to treat server VPNs as a last resort. VPNs are great for temporary access to a network, but keeping them active all the time is a pain. Most need to refresh at points and that can interrupt things, so a VPN is not usually a good thing to rely on to be active all the time.

Clear text is probably fine if you're using SSL. There's no harm in encrypting things further so if one security layer is breached, you have a fallback. It's just up to you and what data you're trying to secure. The more sensitive the data, the more you'll want to protect it.

Most security standards like PCI DSS don't require more than one layer of encryption on the data, but it's not a bad idea if you can afford to implement it.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
DNS records transfer 3 74
Failure of Asp.Net site to recognize Devexpress DLL 3 56
CSS Question.. 3 72
Re-imbursement Claim System 3 20
Styling your websites can become very complex. Here I'll show how SASS can help you better organize, maintain and reuse your CSS code.
Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now