ansaurus

Question

posting a form from one HTTPS to another HTTPS site causing security alert

Answer 1

A:

Right now you are doing:

your server ----> your client/browser ----> their server

Instead you should use:

your server ----> your client/browser ----> your server ----> their server

That is (if it wasn't clear enough), make it send the form to your own server. When your server receives the form, it should send it to the target server.

On a basic level, this works. However, you may get issues if the user is supposed to be logged in on the 2nd server etc.

I'll try to illustrate an example in PHP:

File: form.html

<form action="send.php" method="post">
    ....
</form>

File: send.php

<?php
  $url='https://example.com/ClassicASP/SomeFolder/Target.asp';
  // create new cur connection
  $ch=curl_init();
  // tell curl target url
  curl_setopt($ch, CURLOPT_URL, $url);
  // tell curl we will be sending via POST
  curl_setopt($ch, CURLOPT_POST, true);
  // tell it not to validate ssl cert
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  // tell it where to get POST variables from
  curl_setopt($ch, CURLOPT_POSTFIELDS, $_POST); 
  // make the connection
  curl_exec($ch);
  // close connection
  curl_close($ch);
?>

Christian Sciberras 2010-10-16 20:02:29

Thanks for the response. please, can u be more specific on this? as i understood, doing a form post via javascript is a wrong option. correct? just an fyi, i need this in asp.net c#

wortex 2010-10-16 20:24:57

In some cases (like an IdP to an SP in SSO via Shibboleth), "your server ----> your client/browser ----> your server ----> their server" isn't desirable and "your server ----> your client/browser ----> their server" is, otherwise the second server may not be able to authenticate the browser directly and the first server could effectively be a man in the middle. Posting to another HTTPS normally works without warning.

Bruno 2010-10-16 20:52:03

@Bruno, that is why I said being man-in-the-middle may introduce other problems, however, as I said, on a basic level it works. @wortex, what I'm saying is, instead of making the user send the request to the target server, make your own server send the target request - after receiving the required data from the user's form first, of course.

Christian Sciberras 2010-10-17 08:13:29

can u guys provide some sample code for this? I tried this: Response.Write("<body onload=document.forms[0].submit();>");Response.Write("<form name=\"Form\" method=post action=\"https://example.com/ClassicASP/SomeFolder/Target.asp\">");Response.Write(string.Format("<input type=hidden name=\"postData\" value=\"{0}\">", "data"));Response.Write("</form>");Response.Write("</body>");this works from localhost to the target, but when i deploy to prod with https, it throws me the security popup.

wortex 2010-10-22 17:33:47

@wortex - No, you have to make your server do the HTTP(S) connection yourself! In PHP, we use CURL or Sockets, see what's the equivalent in ASP.

Christian Sciberras 2010-10-24 19:15:06

ansaurus

tags:

views:

answers:

posting a form from one HTTPS to another HTTPS site causing security alert

related questions