...

View Full Version : ASP / .NET / PHP Session Cookies Referrer Problem



dprichard
07-22-2004, 02:56 PM
Okay, I need some serious programming answers PLEASE!!!!. Here is the scenario:

Customer wants users to authenticate based on where they came from. They have several locations that the users will be coming from. They don't want anyone to be able to access their website from anywhere other than these locations. The locations ip addresses will be changing regularly. Is there a way to have a page on the INTRANET internally that the users will go to and it will start a session or place a cookie and pass them to the website. The website then looks for that session or cookie and lets them in or denies them based on the session or cookie. The sites that they will be coming from are ASP and .NET servers and it encrypts the URL that it is coming from. The website it is going to is on a PHP server and is built on PHP and MySQL. I have asked this in like every forum on the internet I can find and no one seems to have a solution. Any help would be greatly appreciated.

dprichard
07-22-2004, 04:51 PM
Anyone?

oracleguy
07-22-2004, 05:02 PM
So you want to transfer the session information from ASP/ASP.net to PHP? If that is the case, yes, that is possible. I've done a similiar thing before but it was transfering ColdFusion to ASP.net, but the languages used are irrelevant.

dprichard
07-22-2004, 05:10 PM
Can I set a cookie in asp or .net and then verify that cookie on the PHP server when it passes them through?

Thank you for responding.

dprichard
07-22-2004, 06:29 PM
I built two pages. One is on an ASP machine and the other one is on a PHP server. The first page has the following code:



<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
Response.Cookies("testcookie")="testcookievalue"
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body><meta http-equiv="refresh" content="1;URL=http://www.leadershippinellas.com/test.php">
</body>
</html>



I am trying to pass this cookie from an ASP page to a PHP page. Here is the code I am using on the PHP page:




<html>
<body><?php
if (isset($_COOKIE["testcookie"]))
echo "Welcome " . $_COOKIE["testcookie"] . "!<br />";
else
echo "You are not logged in!<br />";
?></body>
</html>



I can't get it to see the cookie? Is this even possible?

oracleguy
07-22-2004, 06:38 PM
That method _might_ work if both pages were running on the same machine but since they are not, it definetly won't work. What I had to do, since CF and ASP were completely incompatible is basically what you are going to have to do.

You'll need two pages, one on the ASP server and one on the PHP server. The first page will need to output all the information you want to send either into a form and submit it to the PHP automatically or send it via querystring. Then the PHP page can take that information and save it to the session.

Now obviously this could open up a very large security hole, so I recommend you put some sort of encryption and/or handshaking in place so that I can't fake a request from the ASP server to the PHP server and then become validated on the PHP server without actually logging in.

dprichard
07-23-2004, 01:23 AM
Awesome, this is just the type of info I have been trying to get. When you say handshake, what do you mean by that? I don't want to suck up all this info, but if you can point me in the direction I will research it. I am just not sure what you mean by handshake???

glenngv
07-23-2004, 02:45 AM
Another possible solution (though not secured) is this (http://www.codingforums.com/showthread.php?p=220324#post220324).

dprichard
07-23-2004, 01:14 PM
Yeah, I need it to be as secure as possible.

glenngv
07-23-2004, 01:56 PM
Well, you can still use the technique I mentioned (window.name) and still make a "secure" transfer of data. Encrypt the data and then Base64 encode it and then put it as the window.name value. The data may be represented by username + the time of login to the previous site + the server name.

ASP side:


<%
loginData = username & "|" & Now() & "|" & request.servervariables("SERVER_NAME")
'encrypt loginData (use any reliable encryption mechanism)
'base64 encode loginData
%>
<script type="text/javascript">
window.name = "<%=loginData%>";
</script>

PHP side: (entry point)


<?
'check if referring page (referrer) is valid (may not be reliable)
'don't display the form below if invalid
?>
<script type="text/javascript">
function getWindowName(){
if (window.name!=''){
document.theForm.theHiddenField.value = window.name;
window.name="";//reset
document.theForm.submit();
}
else location.replace("index.php"); //redirect to first page
}
</script>
...
<body onload="getWindowName();"
<form name="theForm" method="post" action="page.php">
<input type="hidden" name="theHiddenField" />
</form>

Then in page.php:
<?
'read the value of theHiddenField
'base64 decode it
'decrypt it
'parse username and datetime and originating server name
'check if originating server name is valid
'check if datetime is still within the desired length of time
'check if username exists.
'user validation ok if above conditions are successfully met
?>

Hope I explained it clearly and hope that helps.

raf
07-23-2004, 02:44 PM
Wouldn't it be simpler to store the sessiondat into the MySQL server?

You can access that server form a remote machine (where your ASP or .NET application runs on. All you need to that is create a mysql-account and grant write permissions to a new user from the machine that the ASP runs from)

Then, if you're gonna transfer the client, then you build some sort of 'ticket'.
Like you register the ASP sessionID in the db and also his IP (will only work for users who's IP doesn't change during their visit (so no AOL users). You can leave out the IP-checks but that creates a risk for session-hijacking).
Then, inside your ASP page, you add the sessionID to each link ot to the redirecturl to the PHP server.
The PHP server then verifyes the newcomer by looking up in the mysql-db if there is a record with that IP and that sessionID. If there is one, then you remove that record (to avoid hijacking)

To make this more secure :
- you could let the ticket expire very quickly. If the redirect is automatic, then after 10 seconds or so.
- you could generate a new sessionID right before creating the ticket --> reduces the risk of hyjacking
- you could encode the sessionID

dprichard
07-23-2004, 03:57 PM
Wouldn't it be simpler to store the sessiondat into the MySQL server?

You can access that server form a remote machine (where your ASP or .NET application runs on. All you need to that is create a mysql-account and grant write permissions to a new user from the machine that the ASP runs from)


Would I be able to write to a MySQL database on another server with an ASP page? I have inserted info from PHP pages before into MySQL, but not ASP pages.



Then, if you're gonna transfer the client, then you build some sort of 'ticket'.
Like you register the ASP sessionID in the db and also his IP (will only work for users who's IP doesn't change during their visit (so no AOL users). You can leave out the IP-checks but that creates a risk for session-hijacking).
Then, inside your ASP page, you add the sessionID to each link ot to the redirecturl to the PHP server.


How do you pull the session ID into the page? Do you mean have it go to a page and put the Session ID and the IP Address into a form and then auto submit the info then forward them to the PHP Page and pull the last record and match the info up?

Thank you so much for the response!!!

raf
07-23-2004, 09:20 PM
Would I be able to write to a MySQL database on another server with an ASP page? I have inserted info from PHP pages before into MySQL, but not ASP pages.
Sure. Why not? All you need is the useracount set up so that it allows connections from your ASP server. I've posted the connectionstring you need to connect to MySQL here yesterday.
http://www.codingforums.com/showthread.php?p=220449#post220449
all you need to do is replace the
server=localhost into server=the IP of the ASP server or server=the hostname of the ASP server

To create the user, all you need is
GRANT INSERT ON your_db_name.* TO 'your_new_username'@'yourdomain.com' IDENTIFIED BY 'your_password';


How do you pull the session ID into the page? Do you mean have it go to a page and put the Session ID and the IP Address into a form and then auto submit the info then forward them to the PHP Page and pull the last record and match the info up?
all you need is for the sessionID is:

Session.SessionID

i don't know your situation, but if you want to move the client from the ASP to the PHP server, then you just isert the record (using the Session.SessionID to get the session ID and the IP with Request.ServerVariables("REMOTE_ADDR")

ten you make a response.redirect and to the url, you add the Session.SessionID

in the PHP page, you grab the sessionID from the querystring and the IP with $_SERVER['REMOTE_ADDR'] and you then use them in your select.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum