Thread: [Phplib-users] Form POST data not making it into auth_preauth()
Brought to you by:
nhruby,
richardarcher
From: Robert V. O. <van...@un...> - 2004-10-13 19:38:32
|
Hello, I have a secure https site running on Java Tomcat and I want to be able to access an application built on PHP and PHPlib. I'm thinking I can have a link that submits a form with the username/password as hidden inputs. I've added the 'auth_preauth()' function (posted to phpbuilder in 2000) to my extension of the 'Auth' class: function auth_preauth() { global $do_preauth, $username, $password; $uid = false; if (isset($do_preauth)) { $this->db->query(sprintf("select user_id, perms ". " from %s ". " where username = '%s' ". " and password = '%s'", $this->database_table, addslashes($username), addslashes($password))); while($this->db->next_record()) { $uid = $this->db->f("user_id"); $this->auth["perm"] = $this->db->f("perms"); $this->auth["uname"] = $username; } } return $uid; } The function is very similar to the 'auth_validatelogin()' function, but is called earlier in the whole process - before 'auth_loginform()'. It is supposed to allow someone to use their own login form, and to bypass the default form. If I hard code in the username and password, I get authenticatied and go straight in. If I use a GET request method in the form, I can get in, but then the password is in the URL. I can't get my form data into the variables via POST Method - which is what I want to use. The posting to phpbuilder doesn't say you need to do anything to get the data into variables. I've been dissecting the phplib files and find that 'page_open()' calls a 'start()' funtion from the 'Session' class, then a 'start()' function from the 'Auth' class (and another from the 'User' class). The Session 'start()' function makes a series of function calls itself: function start($sid = "") { $this->set_container(); $this->set_tokenname(); $this->put_headers(); $this->release_token($sid); $this->get_id($sid); $this->thaw(); $this->gc(); } I can echo back form data ($_POST['username']) up to point of the 'release_token()' function. After that the data is gone and I can't get it back. What do I have to do to get the form data into the 'auth_preauth()' function? Of course, if you can suggest other ways to pass credentials between Tomcat container managed security and phplib, I'd be interested. Thx, Bob Van |
From: Nathaniel P. <np...@te...> - 2004-10-13 20:45:46
|
Robert Van Overmeiren wrote: >Hello, > >I have a secure https site running on Java Tomcat and I want to be able >to access an application built on PHP and PHPlib. I'm thinking I can >have a link that submits a form with the username/password as hidden >inputs. I've added the 'auth_preauth()' function (posted to phpbuilder >in 2000) to my extension of the 'Auth' class: > >function auth_preauth() { > global $do_preauth, $username, $password; > $uid = false; > if (isset($do_preauth)) { > $this->db->query(sprintf("select user_id, perms ". > " from %s ". > " where username = '%s' ". > " and password = '%s'", > $this->database_table, > addslashes($username), > addslashes($password))); > while($this->db->next_record()) { > $uid = $this->db->f("user_id"); > $this->auth["perm"] = $this->db->f("perms"); > $this->auth["uname"] = $username; > } > } > return $uid; >} > >The function is very similar to the 'auth_validatelogin()' function, but >is called earlier in the whole process - before 'auth_loginform()'. It >is supposed to allow someone to use their own login form, and to bypass >the default form. > >If I hard code in the username and password, I get authenticatied and go >straight in. >If I use a GET request method in the form, I can get in, but then the >password is in the URL. >I can't get my form data into the variables via POST Method - which is >what I want to use. >The posting to phpbuilder doesn't say you need to do anything to get the >data into variables. > > Well, looking at your code, my guess would be that register_globals are off in your setup, and that instead of auth_preauth() getting your form data from $_POST like it should, it is trying to get it from the global variable space. PHPlib was originally coded around the assumption that register_globals was on; it's only relatively recently (around 2003, I think?) that the register_globals issue was fixed to work whether or not PHP ran with register_globals off. I'd suggest replacing this line: global $do_preauth, $username, $password; with something that looks like this: //In addition to supplying a username and password, the form must have an element //named 'do_preauth' which is set to something that evaluates to TRUE in PHP, in order //for the preauth function to work. $do_preauth = $_POST['do_preauth']; $username = $_POST['username']; $password = $_POST['password']; However, I can't be sure that this is the problem... It might be helpful if you post some sample code of the form you're submitting from as well as a stripped down version of the code you are using on your page. If you have customized other parts of PHPlib (aside from setting the database parameters), that might be useful to know as well. Also, are you using PHP3 or PHP4 sessions (i.e. are you using prepend.php or prepend.php3 to include PHPlib)? From your quoted start() code below, it seems like you're using PHPlib's PHP3-compatible sessions. Finally, one thing that has helped me understand PHPlib's auth system much better is this explanation here: http://www.drostan.org/Application/webdev/uod/auth_phplib.php At it's core, the auth_preauth function is nothing special... all it needs to do to do it's job is somehow return a PHPlib userid instead of false. >I've been dissecting the phplib files and find that 'page_open()' calls >a 'start()' funtion from the 'Session' class, then a 'start()' function >from the 'Auth' class (and another from the 'User' class). The Session >'start()' function makes a series of function calls itself: > > function start($sid = "") { > $this->set_container(); > $this->set_tokenname(); > $this->put_headers(); > $this->release_token($sid); > $this->get_id($sid); > $this->thaw(); > $this->gc(); > } > >I can echo back form data ($_POST['username']) up to point of the >'release_token()' function. After that the data is gone and I can't get >it back. > > release_token() includes code that will cause a redirect (specifically, it sends a 302: Moved Temporarily header and redirects to itself, appending a session id to the URL) if $sess->mode is set to 'get' or $sess->fallback_mode is set to 'get' and it doesn't detect that a session cookie is set. Since the script tries to detect the cookie before it gets set (that occurs in get_id()) when you first enter a page without an existing session cookie set on your browser, it will /always/ redirect, even if your browser supports cookies. This is probably what is causing you to loose your $_POST data. You can work around this by setting $sess->mode to 'cookie' $sess->fallback_mode to null or false, as this will keep the code from triggering a redirect. Unless you have a very good reason for supporting browsers where the user has turned cookies off (or even more rarely, one that doesn't support cookies), this should be an adequate solution. There may be a better solution that will support 'get' mode, but I can't think of one off the top of my head. You'd have to store your post data in the session somewhere after the call to get_id() in release_token() or something, and then have some corresponding mechanism for digging it back out again. If you can switch to using PHP4-style sessions for PHPlib, you might be able to do that more easily, as you could then store the $_POST data in a PHP4 session natively, bypassing most of PHPlib's session handling. >What do I have to do to get the form data into the 'auth_preauth()' >function? > >Of course, if you can suggest other ways to pass credentials between >Tomcat container managed security and phplib, I'd be interested. > > The main problem is that it depends on credentials set at the client end. So, basically, unless your Tomcat app can set a cookie that can later be read by PHP and both your Tomcat app and PHP app are accessed through the same domain name and protocol (i.e. both are accessed through HTTPS), you're out of luck. PHP would also need to have access to the same data store that you use to keep track of the session in Tomcat. Hope that helps. -- ___________________________ Nathaniel Price http://www.tesserportal.net Webmaster |
From: Layne W. <la...@dr...> - 2004-10-18 02:33:58
|
Quoth Robert Van Overmeiren: > I have a secure https site running on Java Tomcat and I want to be able > to access an application built on PHP and PHPlib. I'm thinking I can > have a link that submits a form with the username/password as hidden > inputs. I've added the 'auth_preauth()' function (posted to phpbuilder > in 2000) to my extension of the 'Auth' class: =2E.. > If I hard code in the username and password, I get authenticatied and > go straight in. If I use a GET request method in the form, I can get > in, but then the password is in the URL. I can't get my form data > into the variables via POST Method - which is what I want to use. The > posting to phpbuilder doesn't say you need to do anything to get the > data into variables. =2E.. > I can echo back form data ($_POST['username']) up to point of the > 'release_token()' function. After that the data is gone and I can't get > it back. You are losing the POST when PHPLIB creates your session cookie. Cookies historically are (or were) not available on the page that created them, so the workaround that was to create the cookie and instantly cause the browse= r to load the same page again through a header redirect. PHPLIB's Session class does not anticipate your problem of posting before the session has been created. I see two options: 1. From your Java site, link to an invisible 1x1 gif from the PHPLIB site - this will create the session transparently allowing the later POST to go through and authenticate within the PHPLIB session. This method will not work for users who turn off images and/or set their browser to only downloa= d images from the site they are visiting. 2. Rewrite the PHPLIB session creation routine to look for incoming POST on pages without a valid session. If POST is found, then instead of the Header redirect create an HTML page with a form containing the POST data with <bod= y onLoad=3D"yourformname.submit();"> to complete the creation of the session cookie. This method will not work for non-Javascript browsers, but should work in many situations. 3. Optionally, combine both methods to catch as many people as you can. --=20 Layne Weathers |