Posting from 2 pages

[andyd34]

I have 2 pages

 

http://domain.domain.com

<?php
if(isset($_POST['Submit']) && $_POST['Submit'] == "Secure_Login")
{
$username = $_POST['username '];
$password = $_POST['password'];
$ip = $_POST['ip'];
$Submit = $_POST['Submit'];
$subDoamin = $_POST['subDomain '];

header("location:http://".$subDoamin.".domain.com/Login?username=$username&password=$password&ip=$ip&Submit=$Submit");
}
?>
<html>
<body>
<form>
 <input type="hidden" name="ip" value="<?=$_SERVER['REMOTE_ADDR']?>" />
 <input type="text" name="subDomain" />
 <input type="text" name="username" />
 <input type="password" name="password" />
 <button type="submit" name="Submit" value="Secure_Login">Login</button>
</form>
</body>
</html>

then i have

http://www.subdomain.domain.com

<?php
if(isset($_REQUEST['Submit']) && $_REQUEST['Submit'] == "Secure_Login")
{
$username = $_REQUEST['username '];
$password = $_REQUEST['password'];
$ip = $_REQUEST['ip'];
$Submit = $_REQUEST['Submit'];

// do login
}
?>
<html>
<body>
<form>
 <input type="hidden" name="ip" value="<?=$_SERVER['REMOTE_ADDR']?>" />
 <input type="text" name="username" />
 <input type="password" name="password" />
 <button type="submit" name="Submit" value="Secure_Login">Login</button>
</form>
</body>
</html>

Now the problem i am having is when trying to login from http://domain.domain.com i am getting the login screen of http://subdomain.domain.com instead of being logged in automatically

 

The reason for this is i have several subdimains and 1 mobile app and the mobile app directs to http://domain.domain.com so i dont have to get an app for each sun domain

 

Does anyone have any idea whats going wrong

[Psycho]

On the subdomain.domain.com page you've posted above, the code within the if condition ends with the comment

// do login

I'm assuming there is more code there that you left out for posting purposes. But, what exactly does that code do? Is there an exit or redirect at the end? If not, then the code will proceed on after the code block and display the login form.

 

But, assuming that the rest of that code is perfectly fine, then your problem is likely that the condition check to see if there was a submission is not returning true. Try putting this at the beginning of that page and see what is displayed to verify what data is passed/ received. 

var_dump($_REQUEST);
exit();

Of course, after I just typed all of that, I think I see your problem:

$username = $_REQUEST['username '];

There is a space at the end of the array index name - so there is no username for the code to access. This tells me that the logic to perform the login is faulty and is not reporting an error when no username is supplied (either unset or empty).

 

And here's another possible problem:

if(isset($_POST['Submit']) && $_POST['Submit'] == "Secure_Login")

The code is looking for a variable with the name Submit. However, your form uses a submit button not an input field with a type of submit. I didn't think buttons passed values. But, you shouldn't use the submit button to check if a form was posted anyway. You can check the $_SESSION['REQUEST_METHOD'] to see if a form was POSTed

Edited June 3, 2016 by Psycho

[Jacques1]

Besides all that: Do not ever include passwords in a URL.

 

Not only will the plaintext passwords appear in all kinds of logs and be sent to any external link via the referrer header. The mechanism can also be used for a log-in CSRF attack where the attacker creates a dummy account on your site and then makes the victim use that account rather than their own:

https://www.yoursite.com/login?username=account_of_the_attacker&password=...

If the victim clicks on this URL (which may be hidden behind a short URL), the victim will unknowingly be logged in under the attacker's account and leave all kind of sensitive data while browsing your site.

 

So the URL is definitely the last place for a password. Instead, simply make the log-in form of your main domain post to the subdomain (via the action attribute).