[RESOLVED] create session after authentication on other server

royw

Hi,

I've posted my problem in an earlier thread and didn't get any luck. In this post I'm trying to make my question more clear:

I've wrote a php script that composes http get header, this script gets a file and does basic authentication (see below)
The server that recieves the request (this case: www.example.com) succesfully authenticates gives the script the page requested.

What I would like to happen:
- The page requested should initiate a session between the server and the client. Setting session_start(); in the page requested doesn't do the trick 🙁

<?
$fp = fsockopen("www.example.com", 80, $errno, $errstr, 30);
$login = base64_encode("user:pass");
if (!$fp) {
echo "$errstr ($errno)<br />\n";
} else {
$out = "GET /sessioncreator.php HTTP/1.1\r\n"; //this file is retrieved and executed
$out .= "Host: www.example/com\r\n";
$out .= "Connection: Close\r\n";
$out .= "Authorization: Basic " . $login . "\r\n\r\n";

fwrite($fp, $out);
?>

Thanks,

Roy

dalecosp

Well, one question immediately comes to mind. How do you expect to make your script hang onto the PHPSESSID? Most browsers receive a cookie to handle that chore....

royw

Hi Dalecosp,

I see the problem now. I can set a cookie via the header, however the browser doesn't associate the cookie with the page from the secure server.

The session that's started is between the requesting server and the secure server B and not between server B and the client.

Somehow I got to manually create a session between the browser and the secure server with the same session id that is used between the to servers.

Is it possible to tell the browser it should use a specified session id when connecting to the secured server? Can PHP provide a response header to do this?

dalecosp

royw wrote:
Hi Dalecosp,

I see the problem now. I can set a cookie via the header, however the browser doesn't associate the cookie with the page from the secure server.

The session that's started is between the requesting server and the secure server B and not between server B and the client.

Somehow I got to manually create a session between the browser and the secure server with the same session id that is used between the to servers.

Is it possible to tell the browser it should use a specified session id when connecting to the secured server? Can PHP provide a response header to do this?

In order of questions: 1 > yes. 2 > I've never considered that.

One trick I've used is simply to pass the PHPSESSID in the query string; I'm not sure whether that's really uber-secure, though. I'm sure there are a few other ways to handle it, but it's early in the morning ATM...

royw

Hi Dalecosp, thanks for the help so far:

How can I submit the session id to the requesting browser and make it start a session with an other server then to one that got the initial get request from the browser?

I can send the session id to the client with javascript like
<script>
window.open('http://url?<? echo("Session.ID()";?>');
</script>

But how to tell the browser to use this to start a session with the secure server?

dalecosp

Well, the problem that I've not considered yet (at least, one of many I've not considered) ... are these servers actually on the same system?

Because, if they're not, then the same session data won't be there.

Of course, you could send a flag to the second server, "hey, he logged in over here and it's cool!" ....

               but that would be uber-*insecure*, I'd think, wouldn't it?

Now, if the "secure server" and the "log in server" (for lack of better terms) are actually the same box, then it's not so much of an issue. They should share the same session repository (often it's /tmp or something similar....), and you simply need to call [man]session_id/man prior to calling [man]session_start/man on the receiving server's script.

If they are different boxen, your task is more difficult. Sometimes in a "server farm", you have a shared database, and many applications will enact shared sessions in the database itself.

Otherwise, you're left with simply telling server B that the client successfully logged in at server A and stick a name tag on him. I'm sure there's creative ways to do that, but that's kinda outside of the scope of the volunteering we do around here at PHPBuilder, IMHO.... (gotta eat, y'know?) 😉

royw

Thanks for the great help. We use two different servers in the same domain.

Then as reply:
Sending a flag to server B doesn't seem secure to me either. Although a trick like:
- Write a script on server A that calls a script on server B

- This script on B edits the htaccess that protects the pages over there
- It does this by inserting an 'allow from 'IP client requesting certain page on server A'

But if I understand your post correctly I can also solve my issue by:
- sharing the session repository on A and have server B look in there for session info
- in the PHP pages on server B: call session_id($your_id_var) and then session_start();

That option brings one more question to my mind:
- On server B we're also using coldfusion: can other server sides languages start a session based on a PHP session ID?

dalecosp

royw wrote:
But if I understand your post correctly I can also solve my issue by:
- sharing the session repository on A and have server B look in there for session info
- in the PHP pages on server B: call session_id($your_id_var) and then session_start();

Should work. Say the servers both NFS mounted /tmp, and this directory was set as session.save_path in php.ini on both machines, I think, it would work. We have used this with an Apache "Virtual Host" (non-SSL) passing the PHPSESSID to the SSL host (on the same box, therefore same session.save_path) with success in the past.

That option brings one more question to my mind:
- On server B we're also using coldfusion: can other server sides languages start a session based on a PHP session ID?

Well, in theory you might be able to at least use this language to determine whether or not a PHP session had been active, but that would probably take some machinations of a rather "kludgy" nature. If you wanted the PHP Session data to actually mean something to CF, that'd be even harder, I'd think. But, I know next to nothing about coldfusion ... better ask them 😉

royw

Okay, this is what we're going to try:

add a virtual host in apache server A that refers to the webroot of the secured website on server B.
This way only apache server A asks for basic authentication, even when referring to the host on B. Only one browser session is needed.
Install coldfusion on server A so it supports the coldfusion apps located on server B.

For future reference: if this doesn't work, i'll post it here.

Dalecosp, thanks!

thorpe

why not take a look at the [man]session_set_save_handler/man function? create your own session object, save session data to a database and be done with most of your problems.

royw

Hi Thorpe,

That would be a viable option, the problem is: we wish not to alter server B's configuration. At max we're allowed to set one or two new php files there do some stuff for generating a browser session.