× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. June 2009

Re: Reusing User ID and Password with Zend i5_Program_Call

Shannon,
One approach is to use HTTP authentication and use an HTTP 401
header to cause a username and password box to pop up in your browser.
The problem with this approach is that it passes the unencrypted
username and password in the HTTP header for each individual request.

Another mechanism would be to use PHP sessions to store the
username and password on the server side. This would be done during the
login in your application.

<?php

session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST) {
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
}

?>

You would then use the session information to make the
connection for the request.

The problem with this approach is that you are storing your
username and password in clear text in the temp directory on the IFS,
which can be a bit of a security problem.

The third approach is more complicated, but much better.
Utilize encrypted session variables to store the username and password.
I have attached some code that I have used in the past to encrypt
session information on a variable-by-variable basis. I will provide the
code at the end of the email. What it basically does is store the
initialization vector on the browser in a cookie and the encryption key
on the server. Both are required in order to encrypt and decrypt the
session variables so someone would need to gain access to both the
server and the client to decrypt the session information.

Following is how it can be used. It was written using Zend
Framework, and therefore OOP, so I apologize if this poses a problem.
If you have Zend Framework installed this _should_ work out of the box
after pasting the class code into a file called EncryptedSession.php.
Also, this is old code that I _think_ is correct.

<?php

require_once 'EncryptedSession.php';

$session = new EncryptedSession();
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$session->setEncrypted('username', $_POST['username']);
$session->setEncrypted('password', $_POST['password']);
}

?>



Kevin Schroeder
Technical Consultant
Zend Technologies, Ltd.
www.zend.com


class EncryptedSession extends Zend_Session_Namespace {

const CIPHER = MCRYPT_3DES;
const MODE = MCRYPT_MODE_CBC;

private $_iv;

public function __construct($namespace = 'Default',
$singleInstance = false)
{
parent::__construct($namespace, $singleInstance); //
Must be true because of iv

$storeKey = __CLASS__ . '_Data' . '_' . $namespace;

if (!isset($_COOKIE[$storeKey]) ||
!isset($this->secretKey)) {
$this->unsetAll();

$maxKeySize = mcrypt_get_key_size(self::CIPHER,
self::MODE);

$secretKey = '';
while( strlen($secretKey)<$maxKeySize) {
$secretKey .= dechex(rand());//uniqid(rand(), true);
}
$this->secretKey = substr($secretKey, 0,
$maxKeySize);

$iv_size = mcrypt_get_iv_size(self::CIPHER,
self::MODE);

$this->_iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

$hmac =
hash_hmac('md5',$this->_iv,$this->secretKey);
$unique = base64_encode($this->_iv);
// The cookie has the same parameters as the
session cookie
$cookie_param = session_get_cookie_params();
setcookie($storeKey, $hmac.$unique,
$cookie_param['lifetime'],
$cookie_param['path'],
$cookie_param['domain'],
$cookie_param['secure'],
$cookie_param['httponly'] );
} else {
$hmac = substr($_COOKIE[$storeKey],0,32);
$unique =
base64_decode(substr($_COOKIE[$storeKey],32));
$check =
hash_hmac('md5',$unique,$this->secretKey);
if($hmac !== $check) {
throw new Zend_Session_Exception('Invalid
Session Data');
}
$this->_iv = $unique;

}
}

public function setEncrypted($key, $value)
{
$this->$key = bin2hex(mcrypt_encrypt(self::CIPHER,
$this->secretKey, $value, self::MODE, $this->_iv));
}

public function getEncrypted($key)
{
if (isset($this->$key)) {
$decrypt = mcrypt_decrypt(self::CIPHER,
$this->secretKey, pack('H*',$this->$key), self::MODE, $this->_iv);
return rtrim($decrypt, "\0"); // remove null
characters off of the end
}
return null;
}
}



-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Shannon ODonnell
Sent: Wednesday, June 10, 2009 2:59 PM
To: 'Web Enabling the AS400 / iSeries'
Subject: [WEB400] Reusing User ID and Password with Zend i5_Program_Call

Here's my scenario:



I have the user log in with their i5 user id/password with a PHP script.



I then take the user to a new page, and I have them enter a search
string.
I take that search string and I pass it to an RPG program using
i5_Program_Call. Now...as you know, the i5_Program_Call requires the
user
to log in first, that is, the php page needs to establish a connection
to
the server before doing a i5_program_call.



But in this case, the user logged in on a previous php page which, since
this is basically all stateless, the iSeries and the PHP server know
nothing
about.



I do not want to force the user to log in again on this page to do their
search, and I don't want to store that user ID and password in the PHP
script either. So how can I accomplish this?



What does the rest of the community do to reuse the id and password with
PHP
like this?



Shannon O'Donnell




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.