Hi there, first, let me say that I don't know anything about PHP. Second, here's the problem : We have 2 web applications. The first one is a user registration application made in PHP, that runs under Apache. The second one is the 'main' application, made in JSP and running on Tomcat.
We would like to be able to share information between both applications so the user would not have to log back into one system if he was already logged in the other. Is there an existing mechanism to do such a thing? If not, is it possible to implement something simple to do so? Do you see any problem with such a thing? I know we can do something similar to share information between various webapps on a single Tomcat server, but can this be done with an Apache webapp and a Tomcat webapp? Thanks in advance! Cheers!
As for your problem: PHP sessions are different 'objects' than JSP sessions, and are stored in their respective containers. Are you looking to access something that was stored in a JSP session, on the PHP side, and vica-versa, or are you merely looking for 'single sign on', which involves only authentication, while not implying "same session".?
The tomcat mechanism you alude to is for single sign on, but I don't believe this is the exact same thing as 'sharing session'.
One thing you might consider is storing the 'session' state in a database, and have both apps consult this database for sessions. But if you're going that far, you might as well re-write the PHP app as a JSP app (or vica versa).
Hello there! I have a similar problem than the one described by java noob. 1st, we have our main product, wich is a JSP site (on Tomcat, but accessible through Apache via mod_jk). 2nd, we have our user registration site that is written in Php (on Apache). Users will access our JSP site, and if they want to edit their user's profile, they will be forwarded to the Php site. We'd like them not to have to re-enter their login and password, as it makes things look a lot less professionnal. Another issue, is that we don't force users to login on the JSP site (we don't use tomcat's security mechanism). All pages are accessible to 'guests', but with less features than for registered customers . Our login is performed via a simple struts action, that authenticates the user and store his profile in his session. Once this is done, if the user wish to edit his profile or his subscription, he can click on a link and be forwarded to the Php site. We'like to implement something that could tell the Php site that the user was already loged in. any thoughts on how this could be done? TIA! C
Well, if you're not using any of the Tomcat A&A (Authentication & Authorization) stuff, then I'm assuming you consider a user logged in if they put a username and password into a form. Then you create whatever objects you want, and stick them in the session. Or you do it through a Struts action. (I'm not familiar with Struts).
1) show page that logs person in to JSP 2) process JSP login 3) send a page to the browser that automagically submits to the PHP login 4) process PHP login 5) send them back to the JSP site.
So now they're logged in both places.
1) show JSP login page 2) process JSP/PHP login 3) show JSP site.
SCJP, SCWCD, SCBCD, IBM CSD WebSphere v5, <br />A+, MCP 2000 and 2000 server, CST, and few incompleted certification tracks.<br /> <br />Ivory Coast<br /> <br />Analyze your web Request/Response @ <a href="http://webtools.servehttp.com" target="_blank" rel="nofollow">http://webtools.servehttp.com</a> down for a while...
Yea we have the same exact problem! What we came up as a solution is depends on the scenario. If you log into the php side, we call our login.do struts action with an extra parameter for the user ID who logged in using a php function called fopen which can open up URLs just like normal files, and the good thing is this happens on the server-side so the user ID isnt exposed at all on client side. From Java to Php we use the HTTPUrlConnection which is the equivalent of php's fopen, and it still hides all this from the client-side, users wont notice anything. You need to do the same thing for logout unfortunatly to keep things consistent. Otherwise people might logout in java but still be logged in in php. Cookies might be an option, but you would have to be careful to set the timeout fairly quick to avoid a security problem, I guess. I'm not a pro at cookies but I would think anything on the client-side is modifyable by a clever user and hence could be a security breach.
Joined: Oct 05, 2003
Also as a side note I dont know if there's any way to make this more secure, because basicly what it means is that somebody could by chance type in the url login.do&userid=1 for example and would login the person with userid 1. This is not very secure, but again our application doesnt need military type security. Still if there's a better way to do this please post
Joined: Oct 05, 2003
Maybe there's a way to check that the server called himself via the referrer or something? Like this kind of login could accept this parameter injection only from localhost?
What about sharing session objects throughout multiple web applications (separate war files) (acting as a single application for consistent look and feel) under single applicaiton server? Generally it should have no problem unless multiple JVMs are used, right?
Ashik Uzzaman Lead Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.