login using curl

[Lefu]

 

Hi guys, I hope this is the right place to post this.

 

I have two subdomains, one has authentication login already setup, so I just want to use the "single sign on" method using curl to achieve this.

below is my script. I have tested it and it does pass variables to the authentication page but I can not be logged in,

 

I am hoping you guys can help.

 

$passed_vars='l_username='.$_REQUEST["l_username"].'&l_password='.$_REQUEST["l_password"].'&returnURL='.$_REQUEST["returnURL"];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/play/login');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $passed_vars);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt ($ch,CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
curl_close($ch);

 

when I do print_r($store) I can see the login page returned but no sessions set.

 

Thanks

[micah1701]

the problem is that your PHP script has now just logged itself into the 2nd site, not your user's browser.

 

your better bet is, send the user to the 2nd site and pass a token (either as a $_GET or $_POST) that both sites recognize.

 

I'm no expert so some one probably has a better way to do this, but for example, you could send the user from site1 to site2 with site1's php SESSION_ID as the token.  Then, once on site2, a php script runs a cURL script back to site1, sending along this session id (and probably some other authenticaion values to prevent XSS hacking) and receiving the session data from site1.

[schilly]

I've run into this same issue and am trying to figure out the best way to do this. both my domains are on the same server so i can access the sessions on both domain. i just trying to figure out how to verify the user so there isn't any session hijacking.

[Lefu]

hi  micah1701,

 

I think I am posting to site2 from site1. Or I may be misunderstanding what you wrote, as for this script I have tried to send data as "hard coded" and still nothing from site2, I do get a session that I have reached site2 and the output is my login screen.

 

Please lemme know how it went  schilly, and maybe if it worked you can share the code.

Thanx.

 

 

[micah1701]

Ok, so I didn't test any of this, but here is what I'm envisioning.

 

so on site 1:

<?php
start_session();
$_SESSION['auth_token'] = rand(10000,99999);
$_SESSION['username'] = "Joe_blow";

echo '<a href="http://www.site2.com/login.php?session_id='.$session_id.'&auth='.$_SESSION['auth_token'].'">click here to log in to site 2</a>';
?>

 

on site 2, "login.php"

<?php
session_start();
$get_session_data = file_get_contents('http://www.site1.com/pass_session.php?session_id='.$_GET['session_id'].'&auth='.$_GET['auth']);
if($get_session_data == "fail"){ 
exit("ERROR: Could Not Log In From site1.com"); 

}else{

$_SESSION['username'] = $get_session_data;

header("Location: /welcome-page.php");
}
?>

 

back on site 1, the page "pass_session.php" page, called from site2 in the above code, should look like:

<?php
session_id($_GET['session_id']); // load the session
session_start();

if($_GET['auth'] != $_SESSION['auth_token']){  
exit("fail");
}else{
echo $_SESSION['username']; // or whatever other value you want to pass to site2.
}

?>

 

Hope that helps!

[schilly]

Thanks Micah. I'm looking at something very similar. My domains are on the same server so I can access all the sessions from domain2 without contacting domain1 if I know the session id. I think I'm going to try out an IP verification between sessions so people can't send links to other people and grant them access.

[schilly]

Ok I tried something similar.

 

I'm having issues with

session_id($_GET['session_id']); // load the session

 

in my verification script from the curl or file_get_contents call. Whenever I try to set the session id the curl call times out. Not sure what the deal is. I tried setting a cookie for the curl call as well.

 

If I load the verification URL in my browser it works fine. Pulling out hairs here.

 

[schilly]

Ok I switched back to my original method. Here it is:

 

on domain2 in my header/connect file

//***already called session_start()

if(!isset($_SESSION['session_check_flag'])){ //

	// Check for GET sid Var
	if (isset($_GET['sid'])) { 

		$curr_sid = session_id();
		$url_sid = $_GET['sid'];

		//access the other session
		session_destroy();
		session_id($url_sid);
		session_start();

		#echo "<br>" . print_r($_SESSION, true) . "<br>";

		$session_ip = $_SESSION['account']['ip'];
		$curr_ip = $_SERVER['REMOTE_ADDR'];

		#echo "<br>curr sid = $curr_sid and get sid = $url_sid<br>";

		if($session_ip != $curr_ip){

			//create new session and delete old one
			$_SESSION = array();
			session_destroy();
			session_start();

			echo "<br>IP Mismatch - Reset Session<br>";

		} else {

			echo "<br>IP Match - Keep Current Session<br>";

		}



	}

	#echo "<br>" . print_r($_SESSION, true) . "<br>";

	// Set cross domain check flag
	$_SESSION['session_check_flag'] = 1;


}

 

it just needs some final testing. this will only work if your domain are on the same server as the session info lies in the same area on the web server so you can access it without external calls (curl/file_get_contents).