Re: [Phplib-users] Form POST data not making it into auth_preauth()
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Form POST data not making it into auth_preauth()
|
From: Layne W. <la...@dr...> - 2004-10-18 02:33:58
|
Quoth Robert Van Overmeiren: > I have a secure https site running on Java Tomcat and I want to be able > to access an application built on PHP and PHPlib. I'm thinking I can > have a link that submits a form with the username/password as hidden > inputs. I've added the 'auth_preauth()' function (posted to phpbuilder > in 2000) to my extension of the 'Auth' class: =2E.. > If I hard code in the username and password, I get authenticatied and > go straight in. If I use a GET request method in the form, I can get > in, but then the password is in the URL. I can't get my form data > into the variables via POST Method - which is what I want to use. The > posting to phpbuilder doesn't say you need to do anything to get the > data into variables. =2E.. > I can echo back form data ($_POST['username']) up to point of the > 'release_token()' function. After that the data is gone and I can't get > it back. You are losing the POST when PHPLIB creates your session cookie. Cookies historically are (or were) not available on the page that created them, so the workaround that was to create the cookie and instantly cause the browse= r to load the same page again through a header redirect. PHPLIB's Session class does not anticipate your problem of posting before the session has been created. I see two options: 1. From your Java site, link to an invisible 1x1 gif from the PHPLIB site - this will create the session transparently allowing the later POST to go through and authenticate within the PHPLIB session. This method will not work for users who turn off images and/or set their browser to only downloa= d images from the site they are visiting. 2. Rewrite the PHPLIB session creation routine to look for incoming POST on pages without a valid session. If POST is found, then instead of the Header redirect create an HTML page with a form containing the POST data with <bod= y onLoad=3D"yourformname.submit();"> to complete the creation of the session cookie. This method will not work for non-Javascript browsers, but should work in many situations. 3. Optionally, combine both methods to catch as many people as you can. --=20 Layne Weathers |
