On Tue, 2012-12-11 at 08:58 -0400, Paul Halliday wrote: > On Tue, Dec 11, 2012 at 9:02 AM, Ashley Sheridan > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: > > > Hi, > > > > I have a form that has username and password fields. While the form > > exists and contains various other fields the most common mode of > > operation is to have the form auto submit if it has enough arguments > > in the URL. So, someone is using an external program that has links > > wired as such: > > > > test.php?start=1&end=2&this=blah&that=argh&username=user&password=pass > > > > and when they hit that URL it sees it has enough arguments, fires and > > returns the result. > > > > Client <-> Server is encrypted, can I toss these into session variables? > > > > The user could be coming from multiple frontends and it would be nice > > to forgo the user/pass in the url; give the username focus on the > > first visit let them drop their creds and then store them into the > > session so with each subsequent hit they can just get their results. > > > > Make sense? > > > > Note: I need to pass the credentials to an external app each time a > > request is made. > > > > Thanks. > > > > -- > > Paul Halliday > > http://www.pintumbler.org/ > > > > > > > It looks like you're trying to re-invent authorisation > procedures. Typically, the first request logs a client in and > retrieves a hashed key, which is then used in all subsequent > requests so that the server can correctly verify the client. > You can do this the way you suggested with the session, but > you must ensure that the session id is passed across to your > script by each of the connecting clients. That will be done > either as part of the head request, or as an extra parameter > in the URL. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > > > I understand that. The username/pass are NOT for authentication to the > form, they are being passed to exec(); I would say this is the username/password being used precisely for authentication, otherwise you wouldn't need to pass them across to exec() > So, I guess in this context they are just arguments. > > Providing I handle the session properly, does it make sense to toss > these arguments into session variables? You can use the session, but the only way your script will know what session to use is if the clients are sending the session id as part of their request. Thanks, Ash http://www.ashleysheridan.co.uk