Jump to content

Form submition after authentication through CAS

tblade

By tblade
in PHP Coding Help

 Share

Recommended Posts

tblade Newbie

tblade

Posted
Posted

Hello, I am currently working on a site that uses CAS authentication, my problem is to keep my site secure, mainly my form processor at this point. With this my form processor has a function call at the top to make sure the user is currently logged in and authenticated, before it processes the form data and submits it to a data base(well at least that's the hope).

 

What I am running into however is that when the form is being sent to processed using POST it is sent to my 'submit.php' that looks something like this

 

<?php
//cas Auth
include_once('CAS.php');
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'auth.cas.foo',443,'');
phpCAS::forceAuthentication();
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
$user = phpCAS::getUser();
?>

<?php

$school = $_POST["School"];
$department = $_POST["department"];
$course = $_POST["course"];
$url = $_POST["url"];
$comments = $_POST["comments"];

$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("wake2_development", $con);


$username = $user;

echo $_POST["School"];

$sql="INSERT INTO contents (School, department, course, url, comments, username)
VALUES
('".$school."','".$department."','".$course."','".$url."','".$comments."','".$username."')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

 

The problem with this is that when the vairiables are sent using POST they are lost when the CAS controller is called because it is actually going to another file and All variables are dropped. Does any one have an idea of a sleek and easy way around this or another way to go about this?

 

Please Help.

 

Thanks,

Tblade

tblade Newbie

tblade

Posted
  • Author
Posted

thought about:

SESSION_START();
$_SESSION['variable'] = $_POST['variable'];
...etc...
include_once "cas.php";
...your page calling the session var's rather than post...

 

The problem with this is that CAS already calls a session or has the session, and thus starting a new one makes its session ignored thus keeping my db venerable to none authorized users.

 

CAS is a single sign on service for multiple web applications. (one sign on for tons of non-related web services)

 

any other ideas?

tblade Newbie

tblade

Posted
  • Author
Posted

As it turns out i was doing some digging and that's exactly how it is done and i think its because the CAS system uses a very precise way of parsing the session information. My next question is there a way to not use session_start(); and still set session variables? Is there a way to try and pull the other CAS SESSION?

947740 Regular Member

947740

Posted
Posted

Hrrrm...you might be able to.  You might have issues, though, if CAS tightly controls the session variables.

 

If you want a look at $_SESSION...just var_dump() it and see what you get.  I don't know if that will provide any insight...wouldn't hurt to check, though.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

That CAS script only redirects to the authorization site when you are not logged in.

 

If someone was logged in on your form page and submitted data, there should be no issue (assuming you are not getting a header error that is preventing the session from working at all.) The form data will be present and the code will just stay on your form processing page.

 

If someone submitted form data and they are not already logged in, they weren't using your form page anyway and you should not care that the form data is lost.

tblade Newbie

tblade

Posted
  • Author
Posted

That CAS script only redirects to the authorization site when you are not logged in.

 

If someone submitted form data and they are not already logged in, they weren't using your form page anyway and you should not care that the form data is lost.

 

This is partially true, it still has to check to make sure the session is current and there for goes past the current php page (submit.php) on to CAS.php and then some other pages for all the functions. The problem here is that PHP only allows POST sent items available to the first php page it is sent to and therefor loosing any form data sent.

 

CAS has to be called at the beginning of each page this provides security throughout the site so even if the person is logged in they are still checked to make sure they are logged in with a valid ticket id and so forth.  And since it has closed session variables (at least to my knowledge) i am unable to use them and make my form data available throughout the session. Thus creating my problem.

 

The form processor runs but all the variables become unindexed making them blank and there for filling my db with null entries

 

Muddy_Funster Regular Member

Muddy_Funster

Posted
Posted

The easy, server heavy workaround would be to re-post off every single page using hidden form fileds, although it would be better to see if you can "export" the POST returns to an intermediary page using headers and include it throughout.

 

Slightly more interesting way would be to create a new table and a new db user login that only has limited access to that table.  Use the table as a temp store for the form info, deleting it on successful login (keeping an audit of failed login atempts), or on both successful and failed logins for more security.  This way if anyone manages to compromise your login credentials, they will get nothing for it.

tblade Newbie

tblade

Posted
  • Author
Posted

Thanks to all who replied. As it turns out I was able to work around by starting a new session and saving the variables into session wide variables as suggested earlier. 

 

After doing some experimenting, which is hard to do with CAS, I found that the error I wasn't as big of a problem. I changed some scripting to allow it to ignore the kill function being called and not give me an error. This overall still gave me the security I was looking for and also allowed me to use my form processor as needed.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.