Jump to content

login using curl


Lefu
 Share

Recommended Posts

 

Hi guys, I hope this is the right place to post this.

 

I have two subdomains, one has authentication login already setup, so I just want to use the "single sign on" method using curl to achieve this.

below is my script. I have tested it and it does pass variables to the authentication page but I can not be logged in,

 

I am hoping you guys can help.

 

$passed_vars='l_username='.$_REQUEST["l_username"].'&l_password='.$_REQUEST["l_password"].'&returnURL='.$_REQUEST["returnURL"];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/play/login');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $passed_vars);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt ($ch,CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);


 

when I do print_r($store) I can see the login page returned but no sessions set.

 

Thanks

Link to comment
Share on other sites

the problem is that your PHP script has now just logged itself into the 2nd site, not your user's browser.

 

your better bet is, send the user to the 2nd site and pass a token (either as a $_GET or $_POST) that both sites recognize.

 

I'm no expert so some one probably has a better way to do this, but for example, you could send the user from site1 to site2 with site1's php SESSION_ID as the token.  Then, once on site2, a php script runs a cURL script back to site1, sending along this session id (and probably some other authenticaion values to prevent XSS hacking) and receiving the session data from site1.

Link to comment
Share on other sites

I've run into this same issue and am trying to figure out the best way to do this. both my domains are on the same server so i can access the sessions on both domain. i just trying to figure out how to verify the user so there isn't any session hijacking.

Link to comment
Share on other sites

hi  micah1701,

 

I think I am posting to site2 from site1. Or I may be misunderstanding what you wrote, as for this script I have tried to send data as "hard coded" and still nothing from site2, I do get a session that I have reached site2 and the output is my login screen.

 

Please lemme know how it went  schilly, and maybe if it worked you can share the code.

Thanx.

 

 

Link to comment
Share on other sites

Ok, so I didn't test any of this, but here is what I'm envisioning.

 

so on site 1:

<?php
start_session();
$_SESSION['auth_token'] = rand(10000,99999);
$_SESSION['username'] = "Joe_blow";

echo '<a href="http://www.site2.com/login.php?session_id='.$session_id.'&auth='.$_SESSION['auth_token'].'">click here to log in to site 2</a>';
?>

 

on site 2, "login.php"

<?php
session_start();
$get_session_data = file_get_contents('http://www.site1.com/pass_session.php?session_id='.$_GET['session_id'].'&auth='.$_GET['auth']);
if($get_session_data == "fail"){ 
exit("ERROR: Could Not Log In From site1.com"); 

}else{

$_SESSION['username'] = $get_session_data;

header("Location: /welcome-page.php");
}
?>

 

back on site 1, the page "pass_session.php" page, called from site2 in the above code, should look like:

<?php
session_id($_GET['session_id']); // load the session
session_start();

if($_GET['auth'] != $_SESSION['auth_token']){  
exit("fail");
}else{
echo $_SESSION['username']; // or whatever other value you want to pass to site2.
}

?>

 

Hope that helps!

Link to comment
Share on other sites

Thanks Micah. I'm looking at something very similar. My domains are on the same server so I can access all the sessions from domain2 without contacting domain1 if I know the session id. I think I'm going to try out an IP verification between sessions so people can't send links to other people and grant them access.

Link to comment
Share on other sites

Ok I tried something similar.

 

I'm having issues with

session_id($_GET['session_id']); // load the session

 

in my verification script from the curl or file_get_contents call. Whenever I try to set the session id the curl call times out. Not sure what the deal is. I tried setting a cookie for the curl call as well.

 

If I load the verification URL in my browser it works fine. Pulling out hairs here.

 

Link to comment
Share on other sites

Ok I switched back to my original method. Here it is:

 

on domain2 in my header/connect file

//***already called session_start()

if(!isset($_SESSION['session_check_flag'])){ //

	// Check for GET sid Var
	if (isset($_GET['sid'])) { 

		$curr_sid = session_id();
		$url_sid = $_GET['sid'];

		//access the other session
		session_destroy();
		session_id($url_sid);
		session_start();

		#echo "<br>" . print_r($_SESSION, true) . "<br>";

		$session_ip = $_SESSION['account']['ip'];
		$curr_ip = $_SERVER['REMOTE_ADDR'];

		#echo "<br>curr sid = $curr_sid and get sid = $url_sid<br>";

		if($session_ip != $curr_ip){

			//create new session and delete old one
			$_SESSION = array();
			session_destroy();
			session_start();

			echo "<br>IP Mismatch - Reset Session<br>";

		} else {

			echo "<br>IP Match - Keep Current Session<br>";

		}



	}

	#echo "<br>" . print_r($_SESSION, true) . "<br>";

	// Set cross domain check flag
	$_SESSION['session_check_flag'] = 1;


}

 

it just needs some final testing. this will only work if your domain are on the same server as the session info lies in the same area on the web server so you can access it without external calls (curl/file_get_contents).

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.