Access cookie offsite

[phpsycho]

Okay so I am trying to add api functionality to my website so people can develop apps for it and what not.

Well there is one problem I came across.. when you want to retrieve the user currently logged in information you need the php session cookie value and then set the session id. But.. sense this application is offsite then the session cookie is not in the header because the session cookie is set on my website, not the app developers.

How can I get the users information that is logged in offsite?

[xyph]

Not going to happen through a cookie.

 

The only way to do this is if it's sent through the query string or posted through a form.

[phpsycho]

damn! hmmm I am sorta new to curl, but.. I came up with this so far..

 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://blah.com/api.php?get=currentuser");
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3');
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE); 
curl_setopt($ch, CURLOPT_HEADER, true);

$info = curl_exec($ch);

preg_match('~PHPSESSID=([^;]*);~siU', $info, $c);
$cookie = $c[1];

 

but preg_match isn't picking up the cookie value for some reason. and the header data is being echoed for some reason.

 

after I have the cookie value I should just be able to then send it over to that same url but with a _GET of that cookie value and set the session id, right?

[phpsycho]

hmmm so as I said I can't preg match the php session id from the header info anddd I just realized that cookie value keeps changing every time I refresh that page.

[phpsycho]

alright so I finally can get the php session id cookie value, but its not the current session.. for some reason it keeps creating new sessions.

[phpsycho]

ooh okay I think I get it now.. those are cookies that are supposed to be set.. I suppose it isn't detecting that there already is cookies set so its trying to create new ones and creating a new session.

hmmm you can't get the current cookies in the header?

[phpsycho]

bump? 

[phpsycho]

Well if Facebook, Google+, etc all can get their currently logged in users data off their site then I should be able to also..

 

Could someone point me in the right direction? I been googling for ever and haven't found anything.

[xyph]

Facebook has an API that other sites can implement. It allows those site to authorize users based on a Facebook account. There is a cross-site transaction involved.

 

There is no automatic button for this. In order to access member-only information from another site, you must cURL to that site using a username/password/sessionid that has access to the data. You could also set up an API, but this must be a mutual process between the external site and yours.

[phpsycho]

huh alright. could you give a small example?

I sort of understand what you mean.. like I could have a developer signup and has to enter their website url and then some how I can allow that website to obtain cookies that are set on my website?

[xyph]

No, you don't understand it at all. You should real up on the http protocol, and how it works.

 

And no, I can't provide you a small example because it's extremely complex. Tackling a cross-site API system isn't a beginner's task. On top of that, it requires code modification from both sites.

 

http://developers.facebook.com/docs/guides/web/#login

 

It explains how it's done.

[phpsycho]

Okay now I understand a little more. I'll research some more on in. Thanks!

[phpsycho]

ah okay so kinda like the app developers website will have a login button to my website and when you click on that it brings up a new window and that page is on my server. When a user allows this app to obtain his/her info then it sets a cookie on the apps website with the value of the session id on my website?

Thats basic of course, but something like that I am assuming, correct?

[xyph]

No, you are opening up holes by doing that, but the GENERAL idea is on the right track.

 

I REALLY REALLY suggest using OAuth: http://oauth.net/2/ rather than developing your own solution.

 

When it comes to security, it's usually best left to professionals. If this is entirely for educational purposes, do whatever you want - just don't be surprised if it gets exploited.

[phpsycho]

I know I should just use that link you gave me, but I like writing my own code that way I know what does what and I can always edit it without looking at the code for hours and come up with nothing lol.

 

So what if I start a session on the app developers website with the currently logged in users id from my website and use that when requesting info on my site?

 

EDIT: hmm I just thought about it.. I cant set the session on the apps website because the data I am getting is on my website. Soo I suppose I could insert into my db the users IP when they log in. Then once the user allows the app to gather his/her info it sets a cookie containing the users id. then I will check to see if the users id in that cookie is in the db and that IP is equal to the current IP.

Thats pretty secure I suppose, right?

[xyph]

Sure, but some ISPs will change a user's IP on every request.

 

Again, this is EXTREMELY advanced. Not a good beginner or intermediate project.

[phpsycho]

oh didn't know that.

Well there is no better way to learn then to try and try again.

 

So what would you suggest I do if I were to code it myself? One of my friends suggests that my site set a cookie on the app website containing the userid and the users md5 pass and check if they match in my db then release users info.

[xyph]

I'm not entirely sure how to achieve this securely. You would first have to authenticate the user, then authenticate the site. Then you'd have to facilitate secure communication between the site and your server, as with every request the remote site would need to verify that the token is still valid.

 

I can tell you now that md5 is not designed for securing passwords. It may be 1-way, but it's EXTREMELY fast, making bruteforce attacks trivial. Even a nicely salted md5/sha1 etc is very weak against distributed computing services that can be rented out quite cheaply. My old Radeon HD 4870 can calculate over 1 billion md5s a second.

 

Read the article in my signature. If you think it's complex or hard to understand, realize that what you're trying to accomplish adds several layers on top of it.

[phpsycho]

Okay I will change things over to that hashing script. Looks to be a lot more secure. Thanks.

I will go with the idea of using the cookie with user id and hashed pass. But.. I tried to set the cookie using my website and the cookie is being placed for the devs site.

So this is what it looks like:

setcookie("awp", "$userid~|~$pass", "0", "/", ".devsite.com");

 

and it won't set the cookie. Can you set a cookie for a different website other than the one you're using to execute it with?

[trq]

Can you set a cookie for a different website other than the one you're using to execute it with?

 

No.

[xyph]

You need to learn the protocol before attempting this.

 

You can't begin to plan this without strong knowledge of how HTTP requests work.

[phpsycho]

Well I am trying to set a cookie, but it won't set. I know how to set them, I have done it before. I read the header data and the cookie is being set, but when I go view the cookie its not there.

I tried on my site, and then the apps site. Both don't work.

 

I'll research more on http requests though, thanks

[phpsycho]

Must have been because I wasn't actually accessing the page, I was using cURL to access the page to set the cookie. Just have to find a different way of doing it.