I just want a point in the right direction

  • mindfullsilence
  • Professor
  • Professor
  • User avatar
  • Posts: 854

Post 3+ Months Ago

So my client wants me to set up an employee login screen on his website that logs in to a completely separate website. Here's what I'm thinking I can do but I just want to know if I'm on the right track.

The email site is email.secureserver.net/login.php

I think I could create a page on his site with a form inside a frame with mirror name attributes as the secureserver form. Than I'd $_post the info the employee inputs to email.secureserver.net/login.php. Than redirect the frame to load email.secureserver.net and it should show the persons email inside of the clients website.

Sound good? easier way of doing this? I'm new to PHP but I'm a very quick learner. Let me know how my thought process is going.

Thanks everyone
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • may
  • Proficient
  • Proficient
  • User avatar
  • Posts: 328
  • Loc: Holland [NL]

Post 3+ Months Ago

I would use Ajax, and dont send - get data between webservers. Also i would recommend using SSL but this would be the setup i would use...

Code: [ Select ]
 
Web1 (Serve Page)
 |
Page
 Ajax Component ----> Web2 (Handle auth)
                       | Auth succes?valid session? etc?
 Handle Response <----Web2 (Give response)
 |
Auth Succes Redir --->Web2 (allready have session, change state)
 
  1.  
  2. Web1 (Serve Page)
  3.  |
  4. Page
  5.  Ajax Component ----> Web2 (Handle auth)
  6.                        | Auth succes?valid session? etc?
  7.  Handle Response <----Web2 (Give response)
  8.  |
  9. Auth Succes Redir --->Web2 (allready have session, change state)
  10.  

Or something like that...

What i would want to keep in mind are the following questions that need to be solved...

1. What condition should be met before authentication is accepted, and which server is responsible ?
2. If authentication fails, how is this information reported back and handled. Do we take care both sessions local and remote are tracking this authentication? Or do we allow hackers to do multiple bruteforce attacks because we keep fluching our sessions?
3. How do we build the 'remote' session on wich we are authenticating and keep that remote server in control of this authentication?
4. Who is serving the data and who is processing it and in what manner?

And i might think of allot more questions all to do with the overal security..

Rgrds...
  • Truce
  • Guru
  • Guru
  • Truce
  • Posts: 1477
  • Loc: Washington DC

Post 3+ Months Ago

May, AJAX is out. For security reasons, the XmlHttpRequest object isn't allowed to access pages outside of its own domain. To be clear:

Accessing email.server.com from server.com = OK
Accessing email.server.com from other.server.com = Not sure
Accessing server.com from email.server.com = NOT OK
Accessing server.com from other.com = NOT OK

---

Mindfull, what method you go with depends on how you want things done and how everything is setup. From the sound of it, you're probably going to want to use CURL to login as the user and then grab the cookie and output it to the user.

http://php.net/curl
  • mindfullsilence
  • Professor
  • Professor
  • User avatar
  • Posts: 854

Post 3+ Months Ago

awesome, thank you truce and may. Like I said, I'm new to php and I have absolutely no familiarity with ajax. Very insightful information you gave may, not something I had thought of.

Truce, what kind of security implementations are there incorporated with curl? From what may said, using php is an all around bad idea in this type of situation. Could you give me a quick summary of what exactly curl does?

Thanks to both of you
  • may
  • Proficient
  • Proficient
  • User avatar
  • Posts: 328
  • Loc: Holland [NL]

Post 3+ Months Ago

Curl is capable to handle Posts / Gets as if your script where a browser. So in effect CURL can fill out a form, or grab content from external websites and present that info localy as if the information is from your own site.

To give you some example of Curl in action.

This Script > http://www.dutchclan.com/Wmembers.php?s=8

Is fetching data from the world of warcraft armory. And is presenting it in our own "template" as if the information is available on our own site.
  • may
  • Proficient
  • Proficient
  • User avatar
  • Posts: 328
  • Loc: Holland [NL]

Post 3+ Months Ago

Truce wrote:
May, AJAX is out. For security reasons, the XmlHttpRequest object isn't allowed to access pages outside of its own domain.

http://php.net/curl


Im not too familiar with whats "in or out" and security is a matter of scripting it savely if you ask me. Just to be clear, i was pointing out Ajax more from the architectural point of view when i was to solve this question in an eyes blink if you will :)

More importantly, even if your final solution implements SOAP, SSL, Curl, or AJAX in all cases you should draw out and consider your architecture before implementing 'any' solution.

Rgrds,
  • mindfullsilence
  • Professor
  • Professor
  • User avatar
  • Posts: 854

Post 3+ Months Ago

awesome, answered all my questions perfectly. Thanks for the quick reply guys. I'll look into curl, it definitely sounds like what I need.
  • Truce
  • Guru
  • Guru
  • Truce
  • Posts: 1477
  • Loc: Washington DC

Post 3+ Months Ago

may wrote:
Truce wrote:
May, AJAX is out. For security reasons, the XmlHttpRequest object isn't allowed to access pages outside of its own domain.

http://php.net/curl


Im not too familiar with whats "in or out" and security is a matter of scripting it savely if you ask me. Just to be clear, i was pointing out Ajax more from the architectural point of view when i was to solve this question in an eyes blink if you will.


FTR and to clarify, web browsers simply won't let you access another website with AJAX, so that nixes it for this purpose, even using iFrames.
  • may
  • Proficient
  • Proficient
  • User avatar
  • Posts: 328
  • Loc: Holland [NL]

Post 3+ Months Ago

Truce wrote:
FTR and to clarify, web browsers simply won't let you access another website with AJAX, so that nixes it for this purpose, even using iFrames.


I didnt knew that :). But then again, what isnt now might be scripted / programmed in the future ^^ Thx for that clarification :)

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 139 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.