Jump to content

[SOLVED] using http:user:pw@domain.com across servers


pickled

Recommended Posts

We have 2 servers for our site.  boxa.mydomain.com and boxb.mydomain.com.

 

Boxb is the IIS server.  Boxa is linux.

 

On a page, if I have an href pointing to a secured page on boxb.mydomain.com, the page will work if it's referenced by http:user:pw@boxb.mydomain.com.

 

However, if I try to access it directly in php, such as header( "Location:http:user:pw@domain.com" ), it prompts the user for a user name and password.

 

Same thing happens if I try to use a file open across servers.

 

I've tested it by having it echo the href instead of doing the header location, and if I copy and paste the string into a url, it works fine.

 

My only guess is I'm missing some kind of header field, but I can't figure out which one it could be.

 

Any ideas?

Link to comment
Share on other sites

When ever you see blah:blah@blah.com in the address bar, that's not the actual URL.

 

 

 

The URL would still be blah.com, and the blah:blah would be sent in additional headers.  As far as I know, it's not possible to redirect someone with authentication.

 

 

 

Are you trying to transfer clients across servers or what?

Link to comment
Share on other sites

When ever you see blah:blah@blah.com in the address bar, that's not the actual URL.

 

 

 

The URL would still be blah.com, and the blah:blah would be sent in additional headers.  As far as I know, it's not possible to redirect someone with authentication.

 

 

 

Are you trying to transfer clients across servers or what?

 

Yes.  I'm trying to access a secured page on our second server.

 

The user has entered his credentials on our first server already so we know he's authorized.

 

We are trying to do 2 things here:

 

First, eliminate the need for the user to type in his credentials on the second server each time he happens to need to do something that accesses it.

 

Second, eliminate the need to add each user to each server. 

 

The thing is, the php documention even showed this in an example for accessing a file on another server.

 

Plus, I KNOW I can't be the first person to need to do something like this.

Link to comment
Share on other sites

What type of authentication are you using?  HTTP-basic?

 

 

If so, read:

 

http://www.faqs.org/rfcs/rfc2617

(Section 2, Basic Authentication Scheme)

 

 

Location: <location>

 

 

Would make the client do something like:

 

 

GET <location> HTTP/1.1

Host: somehost

 

Most clients would probably not handle a

Location: user:pass@blah.com

header correctly.

 

user:pass@blah.com when put into the address bar is not actually sent to the server in the main header line.

 

For example, it does not get sent as:

 

GET http://user:pass@blah.com/somepage.php HTTP/1.1

 

(actually, including the full http://.... part would be unusual, and is usually only done with proxies.)

 

 

It would get sent as something like:

 

GET somepage.php HTTP/1.1

Authorization: Basic <base64 encoded equivalent of user:pass>

 

 

And, as far as I know, there is no header to tell a client to "include these credentials in your next request."

 

 

One way to do it would be to do the redirection client side (as in doing it with content, not headers) with JavaScript or a meta refresh.  That could have obvious problems, but it would be a possible solution.

 

 

Another option is to somehow communicate between server1 and server2 that the user is still authenticated.

 

 

Another option would be to change authentication types.

Link to comment
Share on other sites

Thanks.

 

reading the faq now. I've been looking for something like that for a while but had no luck.

 

client-wise is obviously out of the question.  If we were gonna go that route, we might as well just let the users click on <a href="http://systemuser:systempasswd@mydomain.com>the link</a> and not worry about it.  Adding it as client-side also adds another level of complexity where it could break.

 

 

The other ideas sound promising though.

 

Thank you for your help.  You gave me leads of exploration when I was stuck. :)

 

Link to comment
Share on other sites

<?php

// create a new cURL resource

$credentials = "userid:password";

$url = "http://boxa.mydomain.com/file";

 

$headers = array(

            //"POST ".$page." HTTP/1.0",

            "Content-type: text/xml;charset=\"utf-8\"",

            //"Accept: text/xml",

            "Cache-Control: no-cache",

            "Pragma: no-cache",

            //"SOAPAction: \"run\"",

            //"Content-length: ".strlen($xml_data),

            "Authorization: Basic " . base64_encode($credentials),

"WWW-Authenticate: Basic " . base64_encode($credentials)

        );

 

///////////////////

     

        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL,$url);

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        curl_setopt($ch, CURLOPT_TIMEOUT, 60);

        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

        curl_setopt($ch, CURLOPT_USERAGENT, $defined_vars['HTTP_USER_AGENT']);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);       

        // Apply the XML to our curl call

        //curl_setopt($ch, CURLOPT_POST, 1);

        //curl_setopt($ch, CURLOPT_POSTFIELDS, $xml_data);

 

        $data = curl_exec($ch);

 

        if (curl_errno($ch)) {

            echo "Error: " . curl_error($ch);

        } else {

//echo "success?";

            // Show me the result

            var_dump($data);

//print_r($data);

// $echo "data result//////////<br>$data<br>//////////////////";

            curl_close($ch);

// $echo $data;

        }//////////////////

 

?>

 

WORKS!  WOOHOO! 

 

Thanks all.

Link to comment
Share on other sites

If you're going to proxy through things, you could just use mod_proxy to have /some_folder/ on server1 redirect to server2.

 

 

But, eh, what ever works ;p.

 

mod_proxy?

 

Dunno what that is, but it's only technically a proxy.

 

The main web server is boxa.  some of the pages on boxa need data from boxb.

 

This actually works better, as if we were to open the window to the other server with the userid and pw on the browser, they could open up other pages.

 

This way, we're getting the data and presenting it to them and they have no way to hack it.

Link to comment
Share on other sites

  • 5 months later...

Hello,

 

I have a slightly different situation; For me

The main web server is boxb (IIS).  some of the pages on boxb (IIS) need data from boxa(Linux).

The further complication is: boxa-is NOT a webserver.

Instead, I have a command that generate realtime data for me on boxa(linux). To simplify the discussion, i will say its

"user@boxa> ls -l *.foo > data.txt"

 

Any Suggestion - how to do that?

(Also, I have put this problem on another thread in this forum- before i discovered this. Sorry for the duplication)

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.