On Tue, Dec 11, 2012 at 9:12 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > ** > On Tue, 2012-12-11 at 08:58 -0400, Paul Halliday wrote: > > On Tue, Dec 11, 2012 at 9:02 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> > wrote: > > On Tue, 2012-12-11 at 08:46 -0400, Paul Halliday wrote: > > Hi, > > I have a form that has username and password fields. While the form > exists and contains various other fields the most common mode of > operation is to have the form auto submit if it has enough arguments > in the URL. So, someone is using an external program that has links > wired as such: > > test.php?start=1&end=2&this=blah&that=argh&username=user&password=pass > > and when they hit that URL it sees it has enough arguments, fires and > returns the result. > > Client <-> Server is encrypted, can I toss these into session variables? > > The user could be coming from multiple frontends and it would be nice > to forgo the user/pass in the url; give the username focus on the > first visit let them drop their creds and then store them into the > session so with each subsequent hit they can just get their results. > > Make sense? > > Note: I need to pass the credentials to an external app each time a > request is made. > > Thanks. > > -- > Paul Hallidayhttp://www.pintumbler.org/ > > > > It looks like you're trying to re-invent authorisation procedures. > Typically, the first request logs a client in and retrieves a hashed key, > which is then used in all subsequent requests so that the server can > correctly verify the client. You can do this the way you suggested with the > session, but you must ensure that the session id is passed across to your > script by each of the connecting clients. That will be done either as part > of the head request, or as an extra parameter in the URL. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > > > I understand that. The username/pass are NOT for authentication to the > form, they are being passed to exec(); > > I would say this is the username/password being used precisely for > authentication, otherwise you wouldn't need to pass them across to exec() > > So, I guess in this context they are just arguments. > > Providing I handle the session properly, does it make sense to toss these > arguments into session variables? > > You can use the session, but the only way your script will know what > session to use is if the clients are sending the session id as part of > their request. > > > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Thanks :) I see the flaw in my reasoning. Just needed to talk about it!
