Accessing Cookies In PHP from Different Application

hackersapien

Hi,

I've developed a workflow system using PHP,MySQL and Apache, the system needs to be deployed onto a central server and should be accessible via the intranet to specific users.

The intranet (developed in Classic ASP, don't as me why?!?!) already has a login feature which saves the information in a cookie, Is it possible that when a person accesses my PHP app using a specific URL that I be able to check for the a specific cookie and if it exists I give them access to my workflow application?

I figure that since cookies are stored in the client (browser) then PHP should be able to access the cookies set by the ASP application although I could be wrong.

Any help from you guys would be appreciated.

Cheers

sneakyimp

Your php code should be able to find those cookies if these conditions are met:

1) the domain where they are set matches your domain
2) the original ASP code set the cookies with a path that is accessible to your application.

you'll recall that when setting a cookie in php, you can supply not only a name and value but also path and domain. there are other parameters too but the point is that the original ASP cookie might be set so that you can't access it.

for instance, if i had a php app at http://domain.com/sneaky and i did this:

setcookie('cookie_name', 'here is the cookie value', time()+3600, '/sneaky', '.domain.com');

then in YOUR application in http://domain.com/hacker then you would NOT be able to see the cookie. why? because i explicitly supplied '/sneaky' as a path argument which means that only pages under /sneaky can access that cookie. summary: the path var is a way to limit cookies to a specific region of your site.

the domain argument to setcookie can also limit where the cookie is defined. i don't know much about ASP and how it handles cookies, but there is some interesting reading here:
http://us3.php.net/manual/en/features.cookies.php

there's some pretty detailed but technical info here:
http://wp.netscape.com/newsref/std/cookie_spec.html
http://www.faqs.org/rfcs/rfc2965

finally, to see what cookies are available to your script, look in the $COOKIE superglobal like this:

print_r($_COOKIE);

hackersapien

sneakyimp,

thanks for your response, to give you a clearer picture of the current scenario am In this the way the applications are structured:

The main intranet is accessed via http://intranet/
My workflow application is located within the /apps folder in the intranet i.e.
http://intranet/apps/recruitment

The main intranet is accessed via http://intranet/
My workflow application is located within the /apps folder in the intranet i.e.
http://intranet/apps/recruitment

I have tried to echo out all cookies using the

print_r($_COOKIE);

statement but it returns an empty array object. This shouldn't be the case since the intranet login sets cookies.

I have examined the Classic ASP code and:

The cookies are not set to a specific domain
No path has been set for the cookie

In ASP cookies are set using the following code:

Response.Cookies("cookieName") = cookieValue
Response.Cookies("firstname")="Alex"

A cookie collection is set using:

Response.Cookies("collectionName")("cookieName")="cookieValue"
Response.Cookies("user")("firstname")="John"

Retrieval is done using:

Request.Cookies("cookieName")

So am back to square one, I hope I've given you a better picture of what's going on

sneakyimp

when you tried print_r() on the cookies, were you certain that cookies had been set? did you serve that php code from the intranet server or a different server?

if both answers are yes, i'm not sure what to tell you. maybe read the asp documentation about setting cookies? another approach might be to write a page that uses javascript to check for the cookies and try to find them that way?

hackersapien

Hi sneakyimp,

I realised that I hadn't set the cookies in the previous setup and that's why the

print_r($_COOKIE);

wasn't working. When I run the file for testing cookies this is what was displayed:

Array ( [ASPSESSIONIDAQSQQBBQ] => OJAHJMJCPGAJBLHEBNLNHMMG [hrintranet] => GID=1&UID=120&Names=JohnDoe&Uname=jdoe&Cookie=jdoe1201 )

As i said in an earlier post, the classic ASP cookie has been set in a collection, in this case the collection is called hrintranet.

How Can I now access the individual cookie name=>values in PHP bearing in mind that in PHP am yet to see cookie collections?

Thanks for your help...

Weedpacket

So you're saying that
"GID=1&UID=120&Names=JohnDoe&Uname=jdoe&Cookie=jdoe1201" is the cookie collection?
Looks like a typical urlencoded querystring. Have a look at [man]parse_str[/man]. Use the return array parameter for safety's sake.

So all up that would be

parse_str($_COOKIE["hrintranet"], $hrintranetCollection);

print_r($hrintranetCollection);

hackersapien

Weedpacket wrote:
So you're saying that
"GID=1&UID=120&Names=JohnDoe&Uname=jdoe&Cookie=jdoe1201" is the cookie collection?
Looks like a typical urlencoded querystring. Have a look at [man]parse_str[/man]. Use the return array parameter for safety's sake.

So all up that would be
parse_str($_COOKIE["hrintranet"], $hrintranetCollection);

print_r($hrintranetCollection);

Your suggestion to parse the cookie was brilliant 🙂 , this is the code I used:

print_r($hrintranetCollection); 

echo "GID=".$hrintranetCollection['GID'];

The result was:

Array ( [GID] => 1 [UID] => 120 [Names] => John Nyukuri [Uname] => jwesonga [Cookie] => jwesonga1201 )

GID=1

I can now use the GID cookie value to validate against a database of users 🙂

Big thanks to sneakyimp and weedpacket for all your help...

hackersapien

I have written a checkcookie.php file which I include in the header.php to check if the cookie with a particular value exists:

<?php
$hrCookie=$_COOKIE["hrintranet"];
	parse_str($hrCookie, $hrintranetCollection);
	if($hrintranetCollection['Dept']=="4"){
			header("Location:index.php");
		}else{
			header("Location:login.php");
		}
?>

But immediately I load the page I get the following error message from firefox:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

*   This problem can sometimes be caused by disabling or refusing to accept
      cookies.[/B]

Cookies are enabled on my browser as well as all other browsers. If I put the following code:

parse_str($_COOKIE["hrintranet"], $hrintranetCollection);
echo "Dept=".$hrintranetCollection['Dept'];

It prints out the Dept value...any ideas please

Weedpacket

Where is header.php used? If it's in index.php or login.php you could be in trouble....

hackersapien

Weedpacket wrote:
Where is header.php used? If it's in index.php or login.php you could be in trouble....

The header.php is used in all of my files except the login.php. The current structure of my files is:

<?php
	include_once('includes/header.php');
	include_once('includes/applicants.php');
	$smode=$_GET['mode'];

?>
HTML here
<?php
	include_once('includes/footer.php');

?>

In my header.php file I have:

<?
	require_once 'dbconn.inc';
        require_once 'checkcookie.php';
	dbconnect();
	ob_start();
?>

HTML Stuff here

In my checkcookie.php I have:

<?php
	session_start();
	$hrCookie=$_COOKIE["hrintranet"];
	parse_str($hrCookie, $hrintranetCollection);
	if($hrintranetCollection['Dept']=="4"){
			header("Location:cvextract.php");
		}else{
			header("Location:login.php");
		}
?>

At which point does the trouble start?

Weedpacket

If cvextract.php uses header.php then you'll have:

Client requests cvextract.php
...server includes header.php
......server includes checkcookie.php
.........Verify that Dept==4
.........Redirect the client to cvextract.php
.........Client requests cvextract.php
............repeat [i]ad nauseum[/i]

The livehttpheaders extension for Firefox could be used here; see exactly which responses the server is sending back; I'm pretty sure it will log the start of any potentially infinite redirect loop.

I've just realised something else even more critical:

if($hrintranetCollection['Dept']=="4"){
	header("Location:cvextract.php");
}else{
	header("Location:login.php");
}

So if the Dept is 4, the client is redirected to cvextract.php
And if the Dept is not 4, the client is redirected to login.php

Either way, the client is redirected to another page. This probably isn't desired behaviour 🙂.

Incidentally, for reasons including security, header("Location:") calls should typically be followed by exit(); to stop further processing - no good can come of generating output and sending it to the client if the client isn't supposed to see it. Doing that with the above code highlights the problem....

hackersapien

Weedpacket,

Absolute genius you are...I followed your suggestion down to a tee and it worked. First I installed the livehttpheaders exyension from mozdev which showed me that I was actually running a form of loop resulting in the redirection failing.

I then patched the checkcookie.php with:

<?php
	$hrCookie=$_COOKIE["hrintranet"];
	parse_str($hrCookie, $hrintranetCollection);
	$deptCookie=$hrintranetCollection['Dept'];
	if($deptCookie!="4"){
		header("Location:login.php");
		exit();
	}

?>

This way it only does one redirection (to login.php) if the condition fails, the previous code had an else statement that would redirect you to the login.php page if the condition failed.

That works very well..am happy..my boss is happy....big thanks to Weedpacket and sneakyimp..

PHP kicks behind!!