PHP Server Side Post to Recreate Replace Secure Single Sign On

Question

I host and intranet and manager several Single Sign Ons for outside websites. We have always done this through some sort of hidden form.

Example

<form method="post" action="example.php">
<input type="hidden" value="user" name="user" />  
<input type="hidden" value="password" name="password" />
</form>

We can then have a javascript event submit the hidden form behind the scene and log in the user.

However, a more sophisticated user, who is already authenticated into our site, could view the source and view the user name and password.

I would prefer to have the information posted from a PHP script to seamlessly log them into the external site.

I have done a lot of research on the web and have come up with a few consistent lines of code that people implement that don't seem to work.

They usually are similar to the code below:

 $ch = curl_init($POSTURL);
 curl_setopt($ch, CURLOPT_POST      ,1);
 curl_setopt($ch, CURLOPT_POSTFIELDS,POSTVARS);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION  ,1);
 curl_setopt($ch, CURLOPT_HEADER      ,0);  // DO NOT RETURN HTTP HEADERS
 curl_setopt($ch, CURLOPT_RETURNTRANSFER  ,1);  // RETURN THE CONTENTS OF THE CALL
 $Rec_Data = curl_exec($ch);
 curl_close($ch);

However, I the authentication does not seem to work . If I try to print what is returned by curl_exec, I don't have any success. I also am not sure if this would even be the right way to go about it.

I get the following error from my code:

Curl error: error setting certificate verify locations: CAfile: /etc/ssl/certs /ca-certificates.crt CApath: none

I don't want to keep the users inside our site, I just want to launch the other site after authenticating them. If this works in a standard HTML post, I should be able to recreate this ability using server side code. Right?

On a side note, I have done something like this in my former life with Coldfusion. It was much much easier. Surely PHP and all its users have come up with something!

Answer 1

You won't be able to do this with cURL or any other similar methods.

The code example you've posted above runs on the server, not on the client. Therefore you are authenticating the server to the third-party website and not the client. Since you cannot send a cookie as another domain to the client, signing on server side is pretty useless (well, unless you plan to proxy the whole site, which really isn't a solution).

When you sit back and think about it, who needs to be authenticated here? The client or the server? The client does.

You need to do your work client-side in order to login the CLIENT on the third-party website. Your hidden form approach works well, but isn't very secure.

You could also encrypt the values in the HTML and decrypt it client-side using JavaScript onSubmit, but that would be security by obscurity (your decrypt key and algorithm will be available to any malicious user wanting to get the values).

The best (well, security-wise) would be to use either Flash or Java or an ActiveX control to send the request on the third-party website. That way, your login credentials are locked into a format that really isn't easy to extract (still possible, but beyond the reach of most users), and it is executed client-side.