Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts

    ASP / .NET / PHP Session Cookies Referrer Problem

    Okay, I need some serious programming answers PLEASE!!!!. Here is the scenario:

    Customer wants users to authenticate based on where they came from. They have several locations that the users will be coming from. They don't want anyone to be able to access their website from anywhere other than these locations. The locations ip addresses will be changing regularly. Is there a way to have a page on the INTRANET internally that the users will go to and it will start a session or place a cookie and pass them to the website. The website then looks for that session or cookie and lets them in or denies them based on the session or cookie. The sites that they will be coming from are ASP and .NET servers and it encrypts the URL that it is coming from. The website it is going to is on a PHP server and is built on PHP and MySQL. I have asked this in like every forum on the internet I can find and no one seems to have a solution. Any help would be greatly appreciated.

  • #2
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts
    Anyone?

  • #3
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    So you want to transfer the session information from ASP/ASP.net to PHP? If that is the case, yes, that is possible. I've done a similiar thing before but it was transfering ColdFusion to ASP.net, but the languages used are irrelevant.
    OracleGuy

  • #4
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts
    Can I set a cookie in asp or .net and then verify that cookie on the PHP server when it passes them through?

    Thank you for responding.

  • #5
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts

    Maybe this will explain it better.

    I built two pages. One is on an ASP machine and the other one is on a PHP server. The first page has the following code:

    Code:
    <%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
    <%
    Response.Cookies("testcookie")="testcookievalue"
    %>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <title>Untitled Document</title>
    </head>
    <body><meta http-equiv="refresh" content="1;URL=http://www.leadershippinellas.com/test.php">
    </body>
    </html>
    I am trying to pass this cookie from an ASP page to a PHP page. Here is the code I am using on the PHP page:

    Code:
    <html>
    <body><?php
    if (isset($_COOKIE["testcookie"]))
    echo "Welcome " . $_COOKIE["testcookie"] . "!<br />";
    else
    echo "You are not logged in!<br />";
    ?></body>
    </html>
    I can't get it to see the cookie? Is this even possible?

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    That method _might_ work if both pages were running on the same machine but since they are not, it definetly won't work. What I had to do, since CF and ASP were completely incompatible is basically what you are going to have to do.

    You'll need two pages, one on the ASP server and one on the PHP server. The first page will need to output all the information you want to send either into a form and submit it to the PHP automatically or send it via querystring. Then the PHP page can take that information and save it to the session.

    Now obviously this could open up a very large security hole, so I recommend you put some sort of encryption and/or handshaking in place so that I can't fake a request from the ASP server to the PHP server and then become validated on the PHP server without actually logging in.
    OracleGuy

  • #7
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts
    Awesome, this is just the type of info I have been trying to get. When you say handshake, what do you mean by that? I don't want to suck up all this info, but if you can point me in the direction I will research it. I am just not sure what you mean by handshake???

  • #8
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,075
    Thanks
    0
    Thanked 256 Times in 252 Posts
    Another possible solution (though not secured) is this.
    Glenn
    ____________________________________

    My Blog
    Tower of Hanoi Android app (FREE!)
    Tower of Hanoi Leaderboard
    Samegame Facebook App
    vBulletin Plugins
    ____________________________________

  • #9
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts
    Yeah, I need it to be as secure as possible.

  • #10
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,075
    Thanks
    0
    Thanked 256 Times in 252 Posts
    Well, you can still use the technique I mentioned (window.name) and still make a "secure" transfer of data. Encrypt the data and then Base64 encode it and then put it as the window.name value. The data may be represented by username + the time of login to the previous site + the server name.

    ASP side:
    Code:
    <%
    loginData = username & "|" & Now() & "|" & request.servervariables("SERVER_NAME")
    'encrypt loginData (use any reliable encryption mechanism)
    'base64 encode loginData
    %>
    <script type="text/javascript">
    window.name = "<%=loginData%>";
    </script>
    PHP side: (entry point)
    Code:
    <?
    'check if referring page (referrer) is valid (may not be reliable)
    'don't display the form below if invalid
    ?>
    <script type="text/javascript">
    function getWindowName(){
       if (window.name!=''){
         document.theForm.theHiddenField.value = window.name;
         window.name="";//reset 
         document.theForm.submit();
       }
       else location.replace("index.php"); //redirect to first page
    }
    </script>
    ...
    <body onload="getWindowName();"
    <form name="theForm" method="post" action="page.php">
    <input type="hidden" name="theHiddenField" />
    </form>
    Then in page.php:
    <?
    'read the value of theHiddenField
    'base64 decode it
    'decrypt it
    'parse username and datetime and originating server name
    'check if originating server name is valid
    'check if datetime is still within the desired length of time
    'check if username exists.
    'user validation ok if above conditions are successfully met
    ?>

    Hope I explained it clearly and hope that helps.
    Glenn
    ____________________________________

    My Blog
    Tower of Hanoi Android app (FREE!)
    Tower of Hanoi Leaderboard
    Samegame Facebook App
    vBulletin Plugins
    ____________________________________

  • #11
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Wouldn't it be simpler to store the sessiondat into the MySQL server?

    You can access that server form a remote machine (where your ASP or .NET application runs on. All you need to that is create a mysql-account and grant write permissions to a new user from the machine that the ASP runs from)

    Then, if you're gonna transfer the client, then you build some sort of 'ticket'.
    Like you register the ASP sessionID in the db and also his IP (will only work for users who's IP doesn't change during their visit (so no AOL users). You can leave out the IP-checks but that creates a risk for session-hijacking).
    Then, inside your ASP page, you add the sessionID to each link ot to the redirecturl to the PHP server.
    The PHP server then verifyes the newcomer by looking up in the mysql-db if there is a record with that IP and that sessionID. If there is one, then you remove that record (to avoid hijacking)

    To make this more secure :
    - you could let the ticket expire very quickly. If the redirect is automatic, then after 10 seconds or so.
    - you could generate a new sessionID right before creating the ticket --> reduces the risk of hyjacking
    - you could encode the sessionID
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #12
    Regular Coder
    Join Date
    Jul 2004
    Location
    Tampa
    Posts
    223
    Thanks
    23
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by raf
    Wouldn't it be simpler to store the sessiondat into the MySQL server?

    You can access that server form a remote machine (where your ASP or .NET application runs on. All you need to that is create a mysql-account and grant write permissions to a new user from the machine that the ASP runs from)
    Would I be able to write to a MySQL database on another server with an ASP page? I have inserted info from PHP pages before into MySQL, but not ASP pages.

    Then, if you're gonna transfer the client, then you build some sort of 'ticket'.
    Like you register the ASP sessionID in the db and also his IP (will only work for users who's IP doesn't change during their visit (so no AOL users). You can leave out the IP-checks but that creates a risk for session-hijacking).
    Then, inside your ASP page, you add the sessionID to each link ot to the redirecturl to the PHP server.
    How do you pull the session ID into the page? Do you mean have it go to a page and put the Session ID and the IP Address into a form and then auto submit the info then forward them to the PHP Page and pull the last record and match the info up?

    Thank you so much for the response!!!

  • #13
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by dprichard
    Would I be able to write to a MySQL database on another server with an ASP page? I have inserted info from PHP pages before into MySQL, but not ASP pages.
    Sure. Why not? All you need is the useracount set up so that it allows connections from your ASP server. I've posted the connectionstring you need to connect to MySQL here yesterday.
    http://www.codingforums.com/showthre...449#post220449
    all you need to do is replace the
    server=localhost into server=the IP of the ASP server or server=the hostname of the ASP server

    To create the user, all you need is
    GRANT INSERT ON your_db_name.* TO 'your_new_username'@'yourdomain.com' IDENTIFIED BY 'your_password';

    How do you pull the session ID into the page? Do you mean have it go to a page and put the Session ID and the IP Address into a form and then auto submit the info then forward them to the PHP Page and pull the last record and match the info up?
    all you need is for the sessionID is:

    Session.SessionID

    i don't know your situation, but if you want to move the client from the ASP to the PHP server, then you just isert the record (using the Session.SessionID to get the session ID and the IP with Request.ServerVariables("REMOTE_ADDR")

    ten you make a response.redirect and to the url, you add the Session.SessionID

    in the PHP page, you grab the sessionID from the querystring and the IP with $_SERVER['REMOTE_ADDR'] and you then use them in your select.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •