Passing form variables to .exe via php

nordberg

I have a unique problem that I can't figure out..

My company provides a web-based product through a third party program that runs as a /cgi-bin/.exe file. Normally, someone clicks a link that passes hidden form variables about what options to show to the exe and then they have to provided a username adn password before they can procede fully into the product (also provided by the exe).

I would like to circumvent this by placing my own security level above the exe for user authentication/authorization and pass the necessary login variables to the exe without user intervention using a single superuser account. The problem is that I can't use javascript since it would mean the user:pass are sent to the browser and I can't use frames since it disables some of the product funtionality. I can't just use a Header("url?....") since that would reveal the user:pass. I have tried exec(), passthru(), header(), and fopen().

So does anyone know how I can GET variables to a executable without passing them via the url, js, frames, and completely serverside?

Any thoughts would be greately appreciated.
- Erik

Anon

You need to use cookies for that.

That way you can store the user's password & username in the browsers memory, and it's being passed to your script every time it is visited.

Read more on cookies at
http://www.php.net/manual/en/function.setcookie.php

jeremy_brooks

seems to me that you may want to consider using some type of SSL structure for that process; if you did then you could just keep the info in the URL string (unless you're concerened about shoulder-surfers)

juneym

You need to put your script on an SSL-enabled directory first. Another is, after the user have successfully login. Generate 2 hash string. The first hash is called the DERIVED-KEYs: a hash created using

DERIVED-KEY1 = MD5("username" . "password" . $time() . "Your Sites Secret Key 1")

DERIVED-KEY2 = MD5( "password" . "username" . $time() . "Your Sites Secret Key 2")

... this is the hash string which will be applied to another HASH string called the AUTH-HASH. THe AUTH-HASH is a string derived by calling

md5(DERIVED-KEY1 . DERIVED-KEY2)

then, save it to cookie.

SetCookie("auth_hash", "$AUTH-HASH",0)
SetCookie("derived_key1", "$DERIVED-KEY1",0)
SetCookie("derived_key2", "$DERIVED-KEY2",0)

... save other cookie info if needed.

on each page always check the validity of of the AUTH-HASH by doing this,

$validkey = md5($derived_key1 . $derived_key2);

if ($validkey == $auth_hash) {

the user is valid....

}
else {
denied
}

remember, that when the user closed their browser, the cookie information (keys, and hashes) will be deleted automatically.

Try this, 🙂

Jun