If a form uses the POST method for user authentication, can I still use get?

[jdlev]

So here's the deal.  I've got a user authenticated website using php w/ a post login form.  We run a call center, and if I can preload a user's account information to view information about their company directly into a get uri, it would save me from having to develop an admin interface for the software.

 

So, if I know the user login action form, and the relevent login variables, can I get into a users account using the get method instead of having our operators log in every time?

 

TIA

[Psycho]

If you can load the user's account information, you can just as easily send it via POST or GET. You don't have to make a form for the support rep to enter the credentials into.

 

Whether or not sending the data via POST vs GET and actually working will be completely dependent upon how the authentication page was built. If it looks for both POST and GET variables it would work. If not, it wont. It's that simple.Would take all of 30 seconds to test.

 

But, as I said, it would be just as easy to build a solution that sends the data via POST. I'm not sure how you were planning to "present" the feature to the service rep to utilize. but, if you were going to show links on the page, you could just as easily create multiple forms with hidden fields for the authentication data with only a visible submit button for each client for the support rep to click.

[jdlev]

Our call center software has the ability to preload web addresses if the operator hits a hot key Ctrl+w....so if I can preload the user information into the URI...the operators can go straight to the users account to view information.  Right now, there is only the post authentication on the action page, so I'm guessing the get uri transfer wouldn't work.   Security is much more important than ease of design, so I'll probably just add an admin account to access all the accounts.  Thanks for the tips

[Psycho]

Ah, ye of little faith. Don't give up at the first impediment.

 

I'm not sure what you mean by "Our call center software has the ability to preload web addresses if the operator hits a hot key . . ." Not sure what you mean by "preload". But, no matter. I will assume that all you have the ability to do is send a URL for the support rep to open in their browser. I will also assume that you will be appending in that URL the credentials for the customer's account.

 

So, you can pass the credentials to the support rep via a URL, but the credentials need to be sent to the login page via POST. No problem. Create an intermediary page.

 

So, let's say the login page that receives the POST data is login.php. Create a new page called support_login.php and create the URL to that page along with the parameters for the credentials. Then create that page something like this:

 

<html>
<body>
<form action="login.php" method="post">
Username: <input type="hidden" name="username" value="<?php echo $_GET['uname']; ?>" /><br>
Password: <input type="hidden" name="username" value="<?php echo $_GET['pword']; ?>" /><br>
<button type="submit">Login As User</button>
</form>
</body>
</html>

 

Now, that's an oversimplification of what I would really do. I'd definitely add some validation of the parameters. And, I might pass a parameter to display the account number/name to the page as well so the support rep can confirm the account before logging in. But, that should give you the idea.

[teynon]

To answer the POST and GET question, yes.

 

<form action="mypage.php?myvar=123&myvar2=1234" method="POST">
</form>

 

You could just include additional hidden form values though.

[Psycho]

 

To answer the POST and GET question, yes.

 

<form action="mypage.php?myvar=123&myvar2=1234" method="POST">
</form>

 

That will not send those values in the query string (myvar & mayvar2) as POST variable. They will still be in the $_GET array. To have them sent as POST vars you need to put them as input fields in the form.

[teynon]

That will not send those values in the query string (myvar & mayvar2) as POST variable. They will still be in the $_GET array. To have them sent as POST vars you need to put them as input fields in the form.

The point of what I posted was to demonstrate that you can send variables in the query string while still submitting POST form data. What / why the user is trying to do is not entirely clear.

[teynon]

If you are trying to make a sort of "quick" login, you can make a sort of "reader" page that submits the data.

 

For example:

 

<body onload="$('#form').submit();">
<form id="form">
<input type="hidden" name="username" value="<?php echo $_GET['user'];?>">
<input type="hidden" name="password" value="<?php echo $_GET['password'];?>">
</form>

 

However, you would have to send the users password in the query string which would be highly insecure. Not sure if you're trying to bypass a login page of something you don't know or not. You could do the same thing with an ajax request to log in the user.