Server-Side Redirect in PHP

Question

I have a Java application that I need to integrate our existing PHP website with. The vendor wants us to do a server-side redirect to allow for secure authentication and single-sign-on, but I'm not sure how to do that in PHP. The vendor explained the workflow as follows:

1. User clicks on a 'Open Application' link on our PHP site
2. The PHP application hits a page on the Java application, sending the authentication parameters
3. If successful, the PHP application sends the headers back to the user's browser, which forces a 'redirect', otherwise the PHP app displays an error

What this will allow would be for our PHP app to securely talk to the Java app, and the client never has to send any sort of authentication.

From what I understand, .NET and Java have this capability built in, but I can't find a way in PHP to do this. Any ideas?

UPDATE

I'm not talking about using the header("Location: ..."); function to do a redirect. The kicker with this server-side redirect is that the app does the authentication and sends all that information back to the client so that the client is then logged in. Using header("Location: ...") just forces the browser to go elsewhere.

UPDATE 2

autologin.php (Simulates the user logging into an external app via curl)

// The login 'form' is at login.php
$ch = curl_init('http://domain.local/login.php');
// We are posting 2 variables, and returning the transfer just so it doesn't dump out
// Headers are processed by the callback function processHeaders()
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'processHeaders');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'username=user&password=pass');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Execute curl, close the connection, and redirect the user to a 'restricted' page
$response   = curl_exec($ch);
curl_close($ch);
header("Location: http://domain.local/restricted.php");

function processHeaders($ch, $header) {
    // Dump the response headers to the client
    header($header);
    strlen($header);
}

login.php (Contains the 'login' form)

session_start();
if($_POST) {
    if($_POST['username'] == 'user' && $_POST['password'] == 'pass') {
        $_SESSION['auth'] = 1;
        $_SESSION['token'] = md5(time());
    } else {
        echo 'Auth failed';
    }
} else {
    echo 'Invalid access type';
}

restricted.php (Restricted page)

session_start();
if($_SESSION['auth']) {
    echo 'Secret Token: '.$_SESSION['token'];
} else {
    echo 'Please log in';
}

The idea is that the user wants to ultimately get to 'restricted.php'. 'login.php' contains the code necessary to log in. What I want to simulate is the user filling out the form on 'login.php' and logging the user into 'restricted.php'.

The above snippets of code work together on my local tests (hitting autologin.php redirects to restricted.php and the secret token is printed out), but I can't seem to get it to work cross-application. The apps will be on the same domain (https://domain.com/myapp, https://domain.com:1234/vendorapp).

I've never done this before in any language, I'm just going off of what my vendor has told me they've done. Apparently they've never dealt with PHP before and have no idea what to do.

Answer 1

You just output a normal HTTP redirect header() like this:

<?php header('Location: http://www.example.com/'); ?>

---

Re Update

If I understand correctly you'd need to do this:

1. Browser POSTs login request to PHP server
2. PHP script packages the login information in some specific form for JSP app
3. PHP script POSTs (via cURL) or SOAPs or whatever is necessary to JSP app
4. PHP receives the response and parses out the necessary information
5. PHP sends header and/or body data back to browser

Step 4, parsing the information, depends on how you send and receive the information. If you receive them in the header via cURL, you'll need to set CURLOPT_HEADER to true and parse the necessary data out of the response. This may be as simple as splitting the string on the first blank line or more complicated, that depends on your specific situation.

How this logs in the user in your app is something you need to handle as well. The JSP app probably handles the actual password and username and hands you back a token of some sort which you'll need to keep track of.

Answer 2

like this:

header("Location: http://www.example.com/")

But it must come before any other code...see php.net

Answer 3

It sounds like you are looking for the curl library, which is usually bundled with PHP.

http://php.net/manual/en/book.curl.php

<?php
session_start();

// Receive username / password from $_POST

// Prepare CURL object for post

// Post u/p to java server

// Read response

if($success)
{
    header('Location: nextpage.php');
    $_SESSION['LoggedInTime'] = time();
    exit;
} 
else
{
    //display error
}

Update:

Later, you can check $_SESSION['LoggedInTime'] + 3600 > time() to see if they are still logged in. Every time they visit a logged in page, do this:

if($_SESSION['LoggedInTime'] + 3600 > time()) 
{
     $_SESSION['LoggedInTime'] = time() + 3600;
} 
else
{
     header('Location: /login.php?Message=session+expired');
     exit;
}

Hope this helps.

Answer 4

If you are trying to integrate php and java on the web, you may want to look into Quercus/Resin. Your PHP can then call java code directly. Since they are running on the same server, the java code could write any cookies, setup any sessions or doing any necessary setup processing. http://www.caucho.com/resin-3.0/quercus/tutorial/module/index.xtp