| Posting and redirecting to remote script [message #173287] |
Fri, 01 April 2011 18:20  |
Toxalot
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
My client has a subscribers only area which is written in PHP. Login
is through a form and sessions are tracked with cookies.
One of the client's subscribers has their own members only website.
The subscriber wants all their members to be able to access my
client's subscribers only area without having to provide a username
and password. The simplest way would be for the subscriber to put a
form button on their site that has the login info in hidden fields.
But that means any of their members could get the login details by
viewing the source. I don't know how savvy their members are, but I
don't like security through obscurity.
I had hoped to create a simple little script that the subscriber could
install that would post directly to my client's script and end up on
the client's site. But so far, it hasn't been as simple as I'd hoped.
All methods of posting to remote script keep the user on the same
site.
Any suggestions on how to handle this?
|
|
|
|
| Re: Posting and redirecting to remote script [message #173289 is a reply to message #173287] |
Fri, 01 April 2011 18:36  |
Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Apr 1, 7:20 pm, Toxalot <toxa...@gmail.com> wrote:
> My client has a subscribers only area which is written in PHP. Login
> is through a form and sessions are tracked with cookies.
>
> One of the client's subscribers has their own members only website.
> The subscriber wants all their members to be able to access my
> client's subscribers only area without having to provide a username
> and password. The simplest way would be for the subscriber to put a
> form button on their site that has the login info in hidden fields.
> But that means any of their members could get the login details by
> viewing the source. I don't know how savvy their members are, but I
> don't like security through obscurity.
>
> I had hoped to create a simple little script that the subscriber could
> install that would post directly to my client's script and end up on
> the client's site. But so far, it hasn't been as simple as I'd hoped.
> All methods of posting to remote script keep the user on the same
> site.
>
> Any suggestions on how to handle this?
The script could post the necessary login to your client's site and
get a one time token returned. It could use this on a header location
redirect to move the user to the other site. The other site would use
the one time token to log them in and place the necessary cookie.
|
|
|
|
| Re: Posting and redirecting to remote script [message #173290 is a reply to message #173289] |
Fri, 01 April 2011 19:54 |
Toxalot
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
On Apr 1, 3:36 pm, Captain Paralytic <paul_laut...@yahoo.com> wrote:
> On Apr 1, 7:20 pm, Toxalot <toxa...@gmail.com> wrote:
>
>
>
>> My client has a subscribers only area which is written in PHP. Login
>> is through a form and sessions are tracked with cookies.
>
>> One of the client's subscribers has their own members only website.
>> The subscriber wants all their members to be able to access my
>> client's subscribers only area without having to provide a username
>> and password. The simplest way would be for the subscriber to put a
>> form button on their site that has the login info in hidden fields.
>> But that means any of their members could get the login details by
>> viewing the source. I don't know how savvy their members are, but I
>> don't like security through obscurity.
>
>> I had hoped to create a simple little script that the subscriber could
>> install that would post directly to my client's script and end up on
>> the client's site. But so far, it hasn't been as simple as I'd hoped.
>> All methods of posting to remote script keep the user on the same
>> site.
>
>> Any suggestions on how to handle this?
>
> The script could post the necessary login to your client's site and
> get a one time token returned. It could use this on a header location
> redirect to move the user to the other site. The other site would use
> the one time token to log them in and place the necessary cookie.
I think I understand what you're saying.
On client's site, I'd need
- new script/function to create token, store token in database, and
return token
- new script/function to check for valid tokens, delete token, and
then go on as per usual
On subscriber's site, I'd need
- script that posts login info using something like cURL, retrieves
token, then redirects with token in query string
Am I missing anything? Any tips or gotchas I should watch out for?
|
|
|
|
| Re: Posting and redirecting to remote script [message #173291 is a reply to message #173290] |
Fri, 01 April 2011 20:24 |
Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Apr 1, 8:54 pm, Toxalot <toxa...@gmail.com> wrote:
> On Apr 1, 3:36 pm, Captain Paralytic <paul_laut...@yahoo.com> wrote:
>
>
>
>
>
>> On Apr 1, 7:20 pm, Toxalot <toxa...@gmail.com> wrote:
>
>>> My client has a subscribers only area which is written in PHP. Login
>>> is through a form and sessions are tracked with cookies.
>
>>> One of the client's subscribers has their own members only website.
>>> The subscriber wants all their members to be able to access my
>>> client's subscribers only area without having to provide a username
>>> and password. The simplest way would be for the subscriber to put a
>>> form button on their site that has the login info in hidden fields.
>>> But that means any of their members could get the login details by
>>> viewing the source. I don't know how savvy their members are, but I
>>> don't like security through obscurity.
>
>>> I had hoped to create a simple little script that the subscriber could
>>> install that would post directly to my client's script and end up on
>>> the client's site. But so far, it hasn't been as simple as I'd hoped.
>>> All methods of posting to remote script keep the user on the same
>>> site.
>
>>> Any suggestions on how to handle this?
>
>> The script could post the necessary login to your client's site and
>> get a one time token returned. It could use this on a header location
>> redirect to move the user to the other site. The other site would use
>> the one time token to log them in and place the necessary cookie.
>
> I think I understand what you're saying.
>
> On client's site, I'd need
> - new script/function to create token, store token in database, and
> return token
> - new script/function to check for valid tokens, delete token, and
> then go on as per usual
>
> On subscriber's site, I'd need
> - script that posts login info using something like cURL, retrieves
> token, then redirects with token in query string
>
> Am I missing anything? Any tips or gotchas I should watch out for?
That's pretty much it.
You could also have a time limit on the token.
I'm sure that there are lots of other ways, for instance using an
openid, but this sounds like it fits with the ideas you were already
thinking of.
|
|
|
|
| Re: Posting and redirecting to remote script [message #173292 is a reply to message #173287] |
Fri, 01 April 2011 23:02 |
Twayne
Messages: 135
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In news:e96fbcd2-b36f-4005-b135-7c86373c248a(at)a17g2000yqn(dot)googlegroups(dot)com,
Toxalot <toxalot(at)gmail(dot)com> typed:
> My client has a subscribers only area which is written in
> PHP. Login is through a form and sessions are tracked
> with cookies.
>
> One of the client's subscribers has their own members
> only website. The subscriber wants all their members to
> be able to access my client's subscribers only area
> without having to provide a username and password. The
> simplest way would be for the subscriber to put a form
> button on their site that has the login info in hidden
> fields. But that means any of their members could get the
> login details by viewing the source. I don't know how
> savvy their members are, but I don't like security
> through obscurity.
>
> I had hoped to create a simple little script that the
> subscriber could install that would post directly to my
> client's script and end up on the client's site. But so
> far, it hasn't been as simple as I'd hoped. All methods
> of posting to remote script keep the user on the same
> site.
>
> Any suggestions on how to handle this?
A PHP script operating on a remote server will NOT be visible by doing a
View Source! All they'll see is what the PHP code sends back to the screen
as HTML but not the processes which created that HTML on the fly. That's one
of the valid reasons for using PHP or any server-side programming.
HTH,
Twayne`
|
|
|
|
| Re: Posting and redirecting to remote script [message #173294 is a reply to message #173292] |
Fri, 01 April 2011 23:30 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/1/2011 7:02 PM, Twayne wrote:
> In news:e96fbcd2-b36f-4005-b135-7c86373c248a(at)a17g2000yqn(dot)googlegroups(dot)com,
> Toxalot<toxalot(at)gmail(dot)com> typed:
>> My client has a subscribers only area which is written in
>> PHP. Login is through a form and sessions are tracked
>> with cookies.
>>
>> One of the client's subscribers has their own members
>> only website. The subscriber wants all their members to
>> be able to access my client's subscribers only area
>> without having to provide a username and password. The
>> simplest way would be for the subscriber to put a form
>> button on their site that has the login info in hidden
>> fields. But that means any of their members could get the
>> login details by viewing the source. I don't know how
>> savvy their members are, but I don't like security
>> through obscurity.
>>
>> I had hoped to create a simple little script that the
>> subscriber could install that would post directly to my
>> client's script and end up on the client's site. But so
>> far, it hasn't been as simple as I'd hoped. All methods
>> of posting to remote script keep the user on the same
>> site.
>>
>> Any suggestions on how to handle this?
>
> A PHP script operating on a remote server will NOT be visible by doing a
> View Source! All they'll see is what the PHP code sends back to the screen
> as HTML but not the processes which created that HTML on the fly. That's one
> of the valid reasons for using PHP or any server-side programming.
>
> HTH,
>
> Twayne`
>
>
A typical Twayne response. Complete horse hockey.
Now - please tell me - how is the script on the remote server supposed
to know the user is signed onto the original server without passing some
information to the remote via the client?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Posting and redirecting to remote script [message #173296 is a reply to message #173294] |
Sat, 02 April 2011 12:35 |
Toxalot
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
On Apr 1, 8:30 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 4/1/2011 7:02 PM, Twayne wrote:
>
>
>
>> Innews:e96fbcd2-b36f-4005-b135-7c86373c248a(at)a17g2000yqn(dot)googlegroups(dot)com,
>> Toxalot<toxa...@gmail.com> typed:
>>> My client has a subscribers only area which is written in
>>> PHP. Login is through a form and sessions are tracked
>>> with cookies.
>
>>> One of the client's subscribers has their own members
>>> only website. The subscriber wants all their members to
>>> be able to access my client's subscribers only area
>>> without having to provide a username and password. The
>>> simplest way would be for the subscriber to put a form
>>> button on their site that has the login info in hidden
>>> fields. But that means any of their members could get the
>>> login details by viewing the source. I don't know how
>>> savvy their members are, but I don't like security
>>> through obscurity.
>
>>> I had hoped to create a simple little script that the
>>> subscriber could install that would post directly to my
>>> client's script and end up on the client's site. But so
>>> far, it hasn't been as simple as I'd hoped. All methods
>>> of posting to remote script keep the user on the same
>>> site.
>
>>> Any suggestions on how to handle this?
>
>> A PHP script operating on a remote server will NOT be visible by doing a
>> View Source! All they'll see is what the PHP code sends back to the screen
>> as HTML but not the processes which created that HTML on the fly. That's one
>> of the valid reasons for using PHP or any server-side programming.
>
>> HTH,
>
>> Twayne`
>
> A typical Twayne response. Complete horse hockey.
>
> Now - please tell me - how is the script on the remote server supposed
> to know the user is signed onto the original server without passing some
> information to the remote via the client?
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
Jerry, I'm sure I understand your post. Are you asking me or Twayne?
|
|
|
|
| Re: Posting and redirecting to remote script [message #173297 is a reply to message #173296] |
Sat, 02 April 2011 12:44 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/2/2011 8:35 AM, Toxalot wrote:
> On Apr 1, 8:30 pm, Jerry Stuckle<jstuck...@attglobal.net> wrote:
>> On 4/1/2011 7:02 PM, Twayne wrote:
>>
>>
>>
>>> Innews:e96fbcd2-b36f-4005-b135-7c86373c248a(at)a17g2000yqn(dot)googlegroups(dot)com,
>>> Toxalot<toxa...@gmail.com> typed:
>>>> My client has a subscribers only area which is written in
>>>> PHP. Login is through a form and sessions are tracked
>>>> with cookies.
>>
>>>> One of the client's subscribers has their own members
>>>> only website. The subscriber wants all their members to
>>>> be able to access my client's subscribers only area
>>>> without having to provide a username and password. The
>>>> simplest way would be for the subscriber to put a form
>>>> button on their site that has the login info in hidden
>>>> fields. But that means any of their members could get the
>>>> login details by viewing the source. I don't know how
>>>> savvy their members are, but I don't like security
>>>> through obscurity.
>>
>>>> I had hoped to create a simple little script that the
>>>> subscriber could install that would post directly to my
>>>> client's script and end up on the client's site. But so
>>>> far, it hasn't been as simple as I'd hoped. All methods
>>>> of posting to remote script keep the user on the same
>>>> site.
>>
>>>> Any suggestions on how to handle this?
>>
>>> A PHP script operating on a remote server will NOT be visible by doing a
>>> View Source! All they'll see is what the PHP code sends back to the screen
>>> as HTML but not the processes which created that HTML on the fly. That's one
>>> of the valid reasons for using PHP or any server-side programming.
>>
>>> HTH,
>>
>>> Twayne`
>>
>> A typical Twayne response. Complete horse hockey.
>>
>> Now - please tell me - how is the script on the remote server supposed
>> to know the user is signed onto the original server without passing some
>> information to the remote via the client?
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> Jerry, I'm sure I understand your post. Are you asking me or Twayne?
Sorry for the confusion, Toxalot. I was asking the troll. It's a usual
idiotic response from him.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]