PHP 服务器端帖子重新创建替换安全单点登录
我为外部网站托管和管理内部网并管理多个单点登录。我们总是通过某种隐藏的形式来做到这一点。
示例
<form method="post" action="example.php">
<input type="hidden" value="user" name="user" />
<input type="hidden" value="password" name="password" />
</form>
然后,我们可以让 JavaScript 事件在后台提交隐藏表单并登录用户。
但是,已经通过我们网站身份验证的更复杂的用户可以查看源代码并查看用户名和密码。
我更喜欢从 PHP 脚本发布信息,以便将它们无缝地登录到外部站点。
我在网上做了很多研究,并提出了一些人们实现的一致代码行,但它们似乎不起作用。
它们通常类似于下面的代码:
$ch = curl_init($POSTURL);
curl_setopt($ch, CURLOPT_POST ,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,POSTVARS);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION ,1);
curl_setopt($ch, CURLOPT_HEADER ,0); // DO NOT RETURN HTTP HEADERS
curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1); // RETURN THE CONTENTS OF THE CALL
$Rec_Data = curl_exec($ch);
curl_close($ch);
但是,我的身份验证似乎不起作用。如果我尝试打印curl_exec返回的内容,则不会成功。我也不确定这是否是正确的方法。
我从代码中收到以下错误:
Curl 错误:设置证书验证位置时出错:CAfile: /etc/ssl/certs /ca-certificates.crt CApath: none
我不想将用户保留在我们的网站内,我只想在验证用户身份后启动其他网站。如果这在标准 HTML 帖子中有效,我应该能够使用服务器端代码重新创建此功能。正确的?
顺便说一句,我以前用 Coldfusion 做过类似的事情。这要容易得多。 PHP 及其所有用户肯定已经想出了一些办法!
I host and intranet and manager several Single Sign Ons for outside websites. We have always done this through some sort of hidden form.
Example
<form method="post" action="example.php">
<input type="hidden" value="user" name="user" />
<input type="hidden" value="password" name="password" />
</form>
We can then have a javascript event submit the hidden form behind the scene and log in the user.
However, a more sophisticated user, who is already authenticated into our site, could view the source and view the user name and password.
I would prefer to have the information posted from a PHP script to seamlessly log them into the external site.
I have done a lot of research on the web and have come up with a few consistent lines of code that people implement that don't seem to work.
They usually are similar to the code below:
$ch = curl_init($POSTURL);
curl_setopt($ch, CURLOPT_POST ,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,POSTVARS);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION ,1);
curl_setopt($ch, CURLOPT_HEADER ,0); // DO NOT RETURN HTTP HEADERS
curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1); // RETURN THE CONTENTS OF THE CALL
$Rec_Data = curl_exec($ch);
curl_close($ch);
However, I the authentication does not seem to work . If I try to print what is returned by curl_exec, I don't have any success. I also am not sure if this would even be the right way to go about it.
I get the following error from my code:
Curl error: error setting certificate verify locations: CAfile: /etc/ssl/certs
/ca-certificates.crt CApath: none
I don't want to keep the users inside our site, I just want to launch the other site after authenticating them. If this works in a standard HTML post, I should be able to recreate this ability using server side code. Right?
On a side note, I have done something like this in my former life with Coldfusion. It was much much easier. Surely PHP and all its users have come up with something!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您将无法使用 cURL 或任何其他类似方法来执行此操作。
您上面发布的代码示例在服务器上运行,而不是在客户端上运行。因此,您正在向第三方网站而不是客户端验证服务器。由于您无法将 cookie 作为另一个域发送到客户端,因此在服务器端签名非常无用(好吧,除非您计划代理整个站点,这实际上不是一个解决方案)。
当你坐下来想一想,这里谁需要进行身份验证?客户端还是服务器? 客户会这样做。
您需要在客户端完成工作才能登录第三方网站上的客户端。您的隐藏表单方法效果很好,但不太安全。
您还可以对 HTML 中的值进行加密,并使用 JavaScript onSubmit 在客户端对其进行解密,但这将是隐秘的安全性(您的解密密钥和算法将可供任何想要获取这些值的恶意用户使用)。
最好的(嗯,安全方面)是使用 Flash 或 Java 或 ActiveX 控件在第三方网站上发送请求。这样,您的登录凭据就会被锁定为一种确实不容易提取的格式(仍然可能,但超出了大多数用户的范围),并且它是在客户端执行的。
You won't be able to do this with cURL or any other similar methods.
The code example you've posted above runs on the server, not on the client. Therefore you are authenticating the server to the third-party website and not the client. Since you cannot send a cookie as another domain to the client, signing on server side is pretty useless (well, unless you plan to proxy the whole site, which really isn't a solution).
When you sit back and think about it, who needs to be authenticated here? The client or the server? The client does.
You need to do your work client-side in order to login the CLIENT on the third-party website. Your hidden form approach works well, but isn't very secure.
You could also encrypt the values in the HTML and decrypt it client-side using JavaScript onSubmit, but that would be security by obscurity (your decrypt key and algorithm will be available to any malicious user wanting to get the values).
The best (well, security-wise) would be to use either Flash or Java or an ActiveX control to send the request on the third-party website. That way, your login credentials are locked into a format that really isn't easy to extract (still possible, but beyond the reach of most users), and it is executed client-side.