Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

most appropriate approach to linking two sites

Posted on 2014-04-03
16
Medium Priority
?
1,637 Views
Last Modified: 2014-04-03
This type of thing is probably old-news for many folks, but outside my expertise.
We have a classic ASP website, and a customer has a PHP based website hosted on Amazon EC2.

We need to setup a mechanism whereby the PHP site can pass the ASP website an identifier which represents their request for the ASP site to do something.  Later (as in days) the ASP site will want to pass back that ID, plus a bit of extra text based data, to the PHP site. This to "link records" for all intents.

I can envision a very simple .php and .asp page that simply accepts querystring parameters and does the necessary database insertion. But that feels insecure to me (??)  If there is a VPN between the two servers, does that not matter? What is the appropriate way to set this up so that there is some degree of authentication involved so that if any old person were to type a url it wouldn't do anything?
0
Comment
Question by:PMH4514
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39975033
You're on the right track with querystrings, and you're right they can be unsecure.  By and large, you only have to worry if someone can see an example of the querystrings being passed back and forth.  Otherwise, it's unlikely anyone will know these pages even exist.

To sidestep anyone trying to manipulate the querystrings, you could encrypt the data being passed.  ROT13, or some other simple mechanism such as just swapping characters around would probably work fine.

Using a VPN would be another alternative, but would be overkill, IMO.
0
 
LVL 54

Accepted Solution

by:
Scott Fell,  EE MVE earned 2000 total points
ID: 39975050
Think of it as setting up a webservice on either side.  In asp you are using xmlhttppost http://support.microsoft.com/kb/290591

<%@ Language=vbScript%>
<%
	DataToSend = "id=1"
	dim xmlhttp 
	set xmlhttp = server.Createobject("MSXML2.ServerXMLHTTP")
	xmlhttp.Open "POST","http://localhost/Receiver.asp",false
	xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	xmlhttp.send DataToSend
	Response.ContentType = "text/xml"
	Response.Write xmlhttp.responsexml.xml
        Set xmlhttp = nothing
%>

Open in new window


In php you are using CURL https://php.net/manual/en/curl.examples-basic.php

First, make sure you are only using https.  Even if you don't have a certificate, you can use https.   Then create some type of key so you know it is the server you expect and you can also use your server side code to detect the ip the request is coming from.

Let's say the php page posts  name, address, phone, email  password and a hash of the concatenated fields in a field called PhpHash.

On the asp end you would have
password="abc123"
ProcessData=0
AuthIP=xxx.xx.xx.xx
if request hash<>"" AND Request.ServerVariables("remote_addr")=AuthIP then
  name=request.form("name")
  address=request.form("address")
  phone=request.form("phone"
  email=request.form("email")
  PhpHash=request.form("PhpHash")
  ' set up test
  AspHash=SHA256(name&address&phone&email&password)
end if
if PhpHash=AspHash then ' we have good data
    ProcessData=1
end if

if ProcessData=1 then
    ' update your database
end if

Open in new window

0
 

Author Comment

by:PMH4514
ID: 39975101
Thanks Scott this looks like a good approach
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39975128
To clarify, by posting a password, I mean your own passcode or "salt" that you add to the concatenated data.  

I am doing this very thing myself so wordpress php can talk to a web app I have in asp.
0
 

Author Comment

by:PMH4514
ID: 39975147
is this salt something that both sides agree upon first, and then hide?
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39975230
Yes, both sides use the same password or salt.

The full password of course is the hashed concatenated field.  You don't have to use all fields, but at least 3 or 4 are good. Throwing in the current date or day is good too. Anything that helps avoid a pattern.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39975725
I agree with Scott. That's probably the easiest way to do things. Just to clarify one thing that he said, though:

Even if you don't have a certificate, you can use https.   

Open in new window


HTTPS does require a certificate, but I think what Scott was trying to say is that you can use a self-signed, free certificate. You don't need to buy a commercial certificate from a place like VeriSign just for this.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39975787
>HTTPS does require a certificate,

Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

When you use https, your data is still encrypted.
0
 

Author Comment

by:PMH4514
ID: 39975990
both sides are already HTTPs with signed certificates.
Scott I'm not fully understanding the salt/password mechanism.  does each side have to first agree upon some hidden key and hash mechanism so that the request and some other password are hashed together, and then the other side uses the same salt to pull it back apart?
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39976073
Exactly.  Assume you use sha256 as your hash.  Assume your salt is the current date and the password, "eXpert"  To encode a first_name and last_name you would concatenate the two fields along with the date and password.    

myHash=sha256(first_name&last_name&formatdatetime(date,2)&"eXpert").

Notice I formatted the date to m/d/yyyy.  Since PHP and ASP may treat dates differently,  make sure the end result is m/d/yyyy or mm/dd/yyyy if you use the full date.  

Now myHash gets submitted to the php page with the rest of the data.  So you will want to grab each field posted individually on the php side (first_name and last_name), add the date and password in the same order and apply sha256.    Next, compare the myHash that was posted from the other server to the myHash you created on the receiving server.   If they match, you are good.  

When you process credit card transactions, you will see this same method used by some gateways.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39976623
Actually, it does not.  You just have to have https turned on.  The only thing a certificate does is let the browser know it is trusted and the url in the browser is in fact the right server.   A self signed certificate will throw an warning to the browser as well.  Since we are talking about making a direct post, you can do this without a certificate.

Just a final note for anyone else that comes across this thread - some servers will come with a default certificate installed. Turning on HTTPS without any changes may have it fall back to this default certificate, but a certificate is always required for HTTPS.
0
 

Author Comment

by:PMH4514
ID: 39976917
very interesting.

still confused though - if both sides are HTTPS, is plain text fine?  If not, if VPN between servers, is plain text fine? Or, is asking if plain text is fine just being lazy?
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39976953
Yes it is.  Based on what I have worked on it always just worked.  It's a good day when you get to learn one new good thing!
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39977067
gr8gonzo can probably answer the question about clear text vs vpn better than I can.  However, if you have ever worked with 3rd party api's or send credit card data to a gateway, the method I gave you is typical.  

The other benefit of setting up your own api like this is you can easily reuse it for something else.
0
 

Author Comment

by:PMH4514
ID: 39977092
I see, understood now. I like it!
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39977142
I'd almost always tell people to treat server VPNs as a last resort. VPNs are great for temporary access to a network, but keeping them active all the time is a pain. Most need to refresh at points and that can interrupt things, so a VPN is not usually a good thing to rely on to be active all the time.

Clear text is probably fine if you're using SSL. There's no harm in encrypting things further so if one security layer is breached, you have a fallback. It's just up to you and what data you're trying to secure. The more sensitive the data, the more you'll want to protect it.

Most security standards like PCI DSS don't require more than one layer of encryption on the data, but it's not a bad idea if you can afford to implement it.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question