Detecting frames in PHP without JavaScript?

views:

169

answers:

Detecting frames in PHP without JavaScript?

Hi folks --

I have a client running an ASP.NET application. Inside of that, there's a self-contained PHP wiki. The problem is that the wiki won't use the .NET authentication, so requests directly to http://foobar/path/wiki/ will resolve without forcing a login.

My simple solution for this is to run the PHP application in an iFrame from an .aspx file that will force authentication, and then use PHP to detect if the page is loaded outside of a frame and redirect if so.

I know this can be done with JavaScript quite easily, but I would prefer to do this test server-side before the Wiki content loads. I need help figuring out a way that this can be done. Referrer comparison perhaps?

Any suggestions?

Thanks!

+1 A:

Even with JavaScript this is not secure. One could simply request the Wiki pages and ignore the JavaScript. For example, I could use WGET to pull down all your content without ever authenticating.

If security is important, I would highly recommend figuring out a way to make the PHP app aware of the authentication.

The simplest approach, if this is all on one server, would be to have the .NET application store some sort of token after authenticating, somewhere PHP can access it. Then set a cookie that the PHP wiki will receive and check that value is a valid session for each request.

Mark Renouf 2009-07-22 16:19:13

+2 A:

There is no way to tell on the server-side if a client's browser is loading a page within a frame, tab, or dedicated window.

What you can do is have your .NET application set a cookie after authenticating that the PHP application will read. If the cookie doesn't exist then do a redirect to the authentication page.

sirlancelot 2009-07-22 16:19:37

Merely checking for the existence of a cookie is not enough. You need a way to determine the client requesting the page has authenticated. If I know the name of the cookie I can now access the wiki without authenticating.

Mark Renouf 2009-07-22 16:23:59

Thanks Mark. I updated my answer. That's what I meant but I guess it didn't come across the first time.

sirlancelot 2009-07-22 18:35:41

@sirlancelot: More generally there is no way to tell on the server-side if a page is even being requested by a real user sitting in front of a real web browser! Relying on cookies or user agent strings on the server to try to make these types of decisions is fraught with peril.

Grant Wagner 2009-07-22 18:38:16

@Grant Wagner: could you please give a context to "fraught with peril" and, generally, another approach? This situation is medium-security. The cookie idea, plus JavaScript for the heck of it, will probably suffice, but I do want to make sure I'm not setting myself up for a major issue.

Martin McClellan 2009-07-22 22:06:46

NOTES: In the end, this is what I did, although I was able to strip out the whole misguided iFrames idea. The .NET app is setting a salted hash for the session cookie. I'm authenticating against that hash in the PHP app, and otherwise killing the load and forwarding to the login page. Seems to work fine -- Thanks everybody!

Martin McClellan 2009-07-23 20:49:39

ansaurus

tags:

views:

answers:

Detecting frames in PHP without JavaScript?

related questions