PDA

View Full Version : php include or ajax to get cookie from another server



djr33
05-01-2006, 07:47 AM
I've mentioned this before in other threads, so I won't go into too much detail... let me know if you need more info.

Simple version:
I'm coding some pages that require users to be logged in. I'd love to use the existing cookies from my form.
the catch is that they are two different servers, thebrb.com and thebrbforums.com.


So... here's what i'm thinking:
I can use an include or ajax to get the page on the other server, then it should tell if they're logged in or not.

Let's assume for example (and any demo scripts you show me) that http://thebrbforms.com/loginverify.php is the page that checks their cookies.

Question: does a php include work only serverside? I'm assuming yes. this would mean the server obviously doesn't have cookies, and the user's cookies wouldn't be accessible or even related.
Meaning... I need another way to load a page on the other server, right?

So... ajax.
Does it operate server side or client side? Seems kinda half and half. If a php script is run on a server when ajax asks for it, would cookies be available?

If it will work for getting data from cookies,

Here's what I'd like:

A SIMPLE ajax script that will get the contents of http://thebrbforms.com/loginverify.php (which will either be a username or "null") and based on that determine (if (var == "null")) to display them as logged in or not.
If you could just code a page that says "Logged in as [username]" or "Not logged in." then I will be quite happy.


thanks in advance. Feel free to suggest other ideas.
I've thought about hidden frames and such.... but... seems like a pain and not too compatible. Plus, I'd still need a way to get the data from those frames into the rest of the page...




Hmm... alternatively, i could have the page on the other server, http://thebrbforms.com/loginverify.php, output two values, those which are stored in the cookie. one would be password (encrypted with md5) and the other the username. Then I could use php on the other server to interpret it, but it would need to somehow get into the php script... which might be a pain. I guess a refresh could work. Maybe.

mwinter
05-01-2006, 10:20 PM
I'm coding some pages that require users to be logged in. I'd love to use the existing cookies from my form.
the catch is that they are two different servers, thebrb.com and thebrbforums.com.And this is the crux of the issue; change how you've organised your servers, and the problem goes away.

You should have only registered one domain: thebrb.com. Your forums would then either be found at

  http://thebrb.com/forums/

and the home page at

  http://thebrb.com/

or, using name-based virtual hosts:

  http://forums.thebrb.com/

and

  http://www.thebrb.com/

You could still change to this setup, issuing a (proper HTTP) redirect from thebrbforums.com, and it's certainly what I'd recommend. You could then choose to keep that domain name, or let it expire.


I can use an includeAn include won't do. You need to get the visitor to send the cookie, which means they must make a request to the same domain where it was set.


or ajax to get the page on the other serverCross-domain security constraints apply here, just as they do with frames.

As I wrote above, to get the visitor to send the cookie, they need to make a request to the domain (and possibly path) that originally set it. You could redirect the visitor to the other server to have it check whether they are logged in, but you'd have to redirect back and only have the query string as your transmission method. That could be disasterous for security. You might be able to come up with some sort of challenge/response mechanism to authenticate the exchange, but if it's in any way predictable, you're screwed.

I really would just change your server arrangement.


Question: does a php include work only serverside?What's the actual question? Can browsers execute PHP? No. Is PHP limited only to server-side processing? No.


Hmm... alternatively, i could have the page on the other server, http://thebrbforms.com/loginverify.php, output two values, those which are stored in the cookie. one would be password (encrypted with md5) and the other the username.MD5 is not encryption. It is a hash - a one-way transformation - and it's not secure. Encryption isn't either, in this situation, as it's vulnerable to man-in-the-middle attacks (which is why a challenge is the very minimum necessary).

Mike

djr33
05-02-2006, 03:05 AM
Thanks, Mike. Very useful info.

I originally set up these servers because I wanted to have one for linux (php) and one for windows (asp) because we needed php and a friend was doing some cool stuff with asp. He has, however, gotten busy with things, and I've now taken over that with php... meaning... no real need for seperate setups.
However... it would be a real pain to switch it over.... meh. But.... might work out.


I realize that php can only work serverside, generally.... sorry... bolded the wrong part. What I meant to ask was if the php included a page from the other server, would it have client-side access to cookies... never did say that clearly, but you answered in response to another question, so.. yeah.


md5 is hash, yeah... got the terms mixed up.
as far as I'm concerned, it's perfectly secure. Once it's not, my entire forum is easy to hack into, so 'security' isn't an issue any more.
It's like saying that "well, ftp isn't really that secure, so you should make your webpage more secure"... sure... makes sense, 'cept that the ftp (or, in this case the forum) is the weakest link... so... that's that.
If you've got more info on md5 than I do, great.
But from what i've heard, the only way to crack it is to use brute force, and I doubt people will spend that long trying to hack the server. Afterall, if they DO do that, I've got bigger problems than whether they're logged in on two domains ;)

Twey
05-02-2006, 07:43 AM
I realize that php can only work serverside, generally.... Actually, it's a very powerful application-development language too, and has bindings for most popular toolkits.
It's like saying that "well, ftp isn't really that secure, so you should make your webpage more secure"... sure... makes sense, 'cept that the ftp (or, in this case the forum) is the weakest link... so... that's that.FTP isn't really that secure. :) Use sftp. I believe Mike was talking of security as an absolute, not a measure. MD5 is pretty secure; it's very difficult to find the original data. However, it is possible to find collisions; that is to say, other data that produces the same hash. There is a paper (http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf) on the subject by Xiaoyun Wang and Hongbo Yu.
The question here isn't how secure your current setup is, but what the browser will do to prevent what it would perceive as a breach of security. You cannot retrieve a cookie from a domain other than that from which the request was made.

djr33
05-02-2006, 08:49 AM
My server isn't setup with sftp and still would have ftp setup, so it wouldn't matter what I use personally. Heh.

Hmm... alright. I'll think some more. Maybe redirecting through a page on the other server.... could work.