using cookie to transfer data into a CI3 app |
I need to get data (an email address) from a php application (Onelogin) into my CI3 application. The Onelogin application (small php app) gets the data and sticks it in a session variable. But I have found that when my app starts and creates it own session variable, it obliterates the $_SESSION created by Onelogin.
So I came up with an idea where Onelogin creates a cookie called cookie_email. Then in my application I use $em=get_cookie('cookie_email'); Then I looked at $em it is null. I also tried looking at $_COOKIE with my debugger. I can see a bunch of other cookies, but not cookie_email.
proof that an old dog can learn new tricks
OK. I managed to get the email address from the saml application via a cookie and into a CI3 application. I am however concerned that the correct user who was just authenticated gets their email address passed. One idea I have is to read the cookie and then delete the cookie. But this cookie passing scheme probably should be protected with a semaphore.
I took a look at the CI3 docs and don't see semaphores. Is there some way to serialize access to a shared resource in CI3?
proof that an old dog can learn new tricks
The cookie is not working. This is what happens: user A gets authenticated and the app reads the cookie as [email protected]. Now user B gets authenticated and now the cookie is [email protected]. Now user a switches tabs on the menu. My app gets the cookie but its [email protected]. Ie it is now the wrong user.
So cookies won't cut it. Any other ideas? I am now trying this: if(!isset($_SESSION['userid'])) { $_SESSION['userid']= $_COOKIE['cookie_email']; I can only think of one other way to do this serially without interprocess communication. That is by creating a file. This will only change the userid once per process.
proof that an old dog can learn new tricks
Do you know how cookie works?
I managed to get the email address transferred via the cookie. Is this secure? I don't know but I am using ENV variables to keep passwords secure. Now, once I get the email address into the application and I push it into a environment variable I need to only allow that one person to access their pages.
Any recommendation on how to keep others from access the pages? I could set it up that if there is no email address, the program exits?
proof that an old dog can learn new tricks
> I managed to get the email address transferred via the cookie. Is this secure?
No. Cookie is not secure. But when a user (or an attacker) changes the cookie value, if it is not a problem, you are okay to use it. |
Welcome Guest, Not a member yet? Register Sign In |