tblade Posted May 12, 2010 Share Posted May 12, 2010 Hello, I am currently working on a site that uses CAS authentication, my problem is to keep my site secure, mainly my form processor at this point. With this my form processor has a function call at the top to make sure the user is currently logged in and authenticated, before it processes the form data and submits it to a data base(well at least that's the hope). What I am running into however is that when the form is being sent to processed using POST it is sent to my 'submit.php' that looks something like this <?php //cas Auth include_once('CAS.php'); phpCAS::setDebug(); phpCAS::client(CAS_VERSION_2_0,'auth.cas.foo',443,''); phpCAS::forceAuthentication(); phpCAS::setNoCasServerValidation(); phpCAS::forceAuthentication(); if (isset($_REQUEST['logout'])) { phpCAS::logout(); } $user = phpCAS::getUser(); ?> <?php $school = $_POST["School"]; $department = $_POST["department"]; $course = $_POST["course"]; $url = $_POST["url"]; $comments = $_POST["comments"]; $con = mysql_connect("localhost","root",""); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("wake2_development", $con); $username = $user; echo $_POST["School"]; $sql="INSERT INTO contents (School, department, course, url, comments, username) VALUES ('".$school."','".$department."','".$course."','".$url."','".$comments."','".$username."')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?> The problem with this is that when the vairiables are sent using POST they are lost when the CAS controller is called because it is actually going to another file and All variables are dropped. Does any one have an idea of a sleek and easy way around this or another way to go about this? Please Help. Thanks, Tblade Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted May 12, 2010 Share Posted May 12, 2010 thought about: SESSION_START(); $_SESSION['variable'] = $_POST['variable']; ...etc... include_once "cas.php"; ...your page calling the session var's rather than post... Quote Link to comment Share on other sites More sharing options...
tblade Posted May 12, 2010 Author Share Posted May 12, 2010 thought about: SESSION_START(); $_SESSION['variable'] = $_POST['variable']; ...etc... include_once "cas.php"; ...your page calling the session var's rather than post... The problem with this is that CAS already calls a session or has the session, and thus starting a new one makes its session ignored thus keeping my db venerable to none authorized users. CAS is a single sign on service for multiple web applications. (one sign on for tons of non-related web services) any other ideas? Quote Link to comment Share on other sites More sharing options...
947740 Posted May 12, 2010 Share Posted May 12, 2010 Then use the session that CAS starts... Quote Link to comment Share on other sites More sharing options...
tblade Posted May 12, 2010 Author Share Posted May 12, 2010 The problem is that when i do it bombs. I try just setting the session variables and i will get un-indexed errors from my server. I have no idea why but i have a feeling the CAS controller is not allowing it happen. Quote Link to comment Share on other sites More sharing options...
947740 Posted May 12, 2010 Share Posted May 12, 2010 Try looking in some of the CAS files and see how they declare session variables. They might use a function or something, not allowing direct declarations. I don't know if this is the best way, it's just a suggestion. Quote Link to comment Share on other sites More sharing options...
tblade Posted May 12, 2010 Author Share Posted May 12, 2010 As it turns out i was doing some digging and that's exactly how it is done and i think its because the CAS system uses a very precise way of parsing the session information. My next question is there a way to not use session_start(); and still set session variables? Is there a way to try and pull the other CAS SESSION? Quote Link to comment Share on other sites More sharing options...
947740 Posted May 12, 2010 Share Posted May 12, 2010 Hrrrm...you might be able to. You might have issues, though, if CAS tightly controls the session variables. If you want a look at $_SESSION...just var_dump() it and see what you get. I don't know if that will provide any insight...wouldn't hurt to check, though. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 12, 2010 Share Posted May 12, 2010 That CAS script only redirects to the authorization site when you are not logged in. If someone was logged in on your form page and submitted data, there should be no issue (assuming you are not getting a header error that is preventing the session from working at all.) The form data will be present and the code will just stay on your form processing page. If someone submitted form data and they are not already logged in, they weren't using your form page anyway and you should not care that the form data is lost. Quote Link to comment Share on other sites More sharing options...
tblade Posted May 12, 2010 Author Share Posted May 12, 2010 That CAS script only redirects to the authorization site when you are not logged in. If someone submitted form data and they are not already logged in, they weren't using your form page anyway and you should not care that the form data is lost. This is partially true, it still has to check to make sure the session is current and there for goes past the current php page (submit.php) on to CAS.php and then some other pages for all the functions. The problem here is that PHP only allows POST sent items available to the first php page it is sent to and therefor loosing any form data sent. CAS has to be called at the beginning of each page this provides security throughout the site so even if the person is logged in they are still checked to make sure they are logged in with a valid ticket id and so forth. And since it has closed session variables (at least to my knowledge) i am unable to use them and make my form data available throughout the session. Thus creating my problem. The form processor runs but all the variables become unindexed making them blank and there for filling my db with null entries Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted May 13, 2010 Share Posted May 13, 2010 The easy, server heavy workaround would be to re-post off every single page using hidden form fileds, although it would be better to see if you can "export" the POST returns to an intermediary page using headers and include it throughout. Slightly more interesting way would be to create a new table and a new db user login that only has limited access to that table. Use the table as a temp store for the form info, deleting it on successful login (keeping an audit of failed login atempts), or on both successful and failed logins for more security. This way if anyone manages to compromise your login credentials, they will get nothing for it. Quote Link to comment Share on other sites More sharing options...
tblade Posted May 13, 2010 Author Share Posted May 13, 2010 Thanks to all who replied. As it turns out I was able to work around by starting a new session and saving the variables into session wide variables as suggested earlier. After doing some experimenting, which is hard to do with CAS, I found that the error I wasn't as big of a problem. I changed some scripting to allow it to ignore the kill function being called and not give me an error. This overall still gave me the security I was looking for and also allowed me to use my form processor as needed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.