NYCPHP Meetup

[Jerry Kapron]

Hans,
I may be paranoid, but I'd use a different approach (IMO more secure).
When a user logs on to the ColdFusion server generate a unique ID - session
id or something to that effect. Store it in a database with the username,
User-Agent string, and the IP address of the client. Of course that row
should be deleted when the user logs out or expired after X minutes of
inactivity. Next write a small CF script (check.cfm) that will respond only
to requests sent from the IP address matching your Linux/PHP server. This
script would take the said unique ID as a GET var and echo the associated
username, User-Agent string, and the IP address from the database.
Now when you redirect the user from the CF app to your PHP add it would be
done with a link like this one:
http://linux.server/verify.php?id=737b8a3cfa90cda3bc

Your verify.php would issue a request including the ID as a GET var (using
fopen) to check.cfm on your IIS/CF server. check.cfm would query the
database for the username, User-Agent string, and the IP address associated
with the ID and echo the results. The output would be captured and parsed by
verify.php. If the returned User-Agent and IP address match
$_SERVER['HTTP_USER_AGENT'] and $_SERVER['REMOTE_ADDR'], a PHP session is
established and the returned username is stored as a session var .. and life
is good.
Of course you may apply encoding/encryption on top of that.

Jerry


--
42.7% of all statistics are made up on the spot.

-----Original Message-----
From: Hans Zaunere <hans at nyphp.org>
To: NYPHP Talk <talk at nyphp.org>
Date: Thursday, February 20, 2003 9:22 AM
Subject: [nycphp-talk] ColdFusion Question


>
>OK, no comments please  :)
>
>I'm now incharge of CF development, and while things have been moving
"well"
>there's one issue I can't seem to get past easily.
>
>Basically there is a CF app on IIS under Windows 2000 with a login process
>that I have no control over, nor access to.  My only ability is to place a
>link on the protected CF page that will bring the user to a PHP app on a
>Linux server across campus, which also needs to know who the user is.
>
>The most obvious way to do this is to create the link in the CF app to
>contain a GET variable with the username in it.  OK fine, this would work,
>albeit weak.  Of course, we're dealing with computer illiterate medical
>students, so 9 times out of 10 this would suffice.
>
>Yet, it scares me, so I want to add a couple additional checks.  Basically
my
>question is, how could I get a MAC address, CPU ID, or some other
identifying
>tag (not IP) from the IIS server, which I would then pass in the URL to my
>application.
>
>Additionally, to keep the pesky students in check, I'd like to encode the
>information so it becomes less obvious to them what we're doing.  Ideally,
>I'd like PHP's base64_encode() functionality.  Also, does ColdFusion have
>anything like PHP's serialize() ?
>
>Security through obscurity, gotta love it.  Other ideas are welcome, but we
>are dealing with a considerably limited environment.  And CF code examples
>would be greatly appreciated  :)
>
>Thank you,
>
>H
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>