PHP OpenSSO FAQ: Can you share a PHP script to validate a user's OpenSSO cookie?
In my final planned blog post about using PHP to manually authenticate a user's credentials against an OpenSSO identity management server, today I'll share some PHP source code that demonstrates how you can test whether a user's current OpenSSO token (a browser cookie) is valid. You'll want to use this technique, or something like it, when you want to manually protect your PHP content via RESTful identity web service calls to your OpenSSO server.
(As a very important note, performing this action manually is not always necessary. It's just one of the four ways to integrate with an OpenSSO server, and the method I'm most interest in at this time, as it gives me the ultimate flexibility in my web applications.)
Validate an OpenSSO browser cookie
My main.php
script calls the OpenSSO identity service named isTokenValid
to determine whether the OpenSSO cookie stored in the user's browser is a valid token in our OpenSSO data store. This cookie may be blank if the user hasn't logged in yet, it may be invalid because the user's login session has expired (or because someone is trying to hack into the system), or it may have a valid value, in which case we let the user into our system.
Given that introduction, here's the main.php
source code:
<?php require 'HTTP/Request.php'; $LOGIN_PAGE = 'http://loginserver.example.com:8000/identity-tests/login.php'; $OPENSSO_URL = 'http://opensso.example.com:8080/opensso/identity/isTokenValid'; # discussion: # this php page is 'protected' via code, specifically using a web service # call to our opensso server. if the opensso cookie is not valid, # redirect the user to the login page. # if the cookie is blank, immediately go to the login page. $cookie_value = $_COOKIE[iPlanetDirectoryPro]; if (trim($cookie_value) == '') { error_log('(main.php) COOKIE WAS BLANK; BACK TO THE LOGIN PAGE.'); header("Location: $LOGIN_PAGE"); return; } error_log('(main.php) COOKIE WAS NOT BLANK; CONTINUE'); error_log("(main.php) COOKIE: $cookie_value"); # we have a cookie value, so test it against our opensso server $req = new HTTP_Request($OPENSSO_URL); $req->setMethod(HTTP_REQUEST_METHOD_POST); $req->addHeader('Cookie',"iPlanetDirectoryPro=$_COOKIE[iPlanetDirectoryPro]"); $req->addHeader('Content-Type','application/x-www-form-urlencoded'); $req->addHeader('Host','appserver.example.com'); $req->sendRequest(); # actual response here is something like this: # boolean=true\n, referer: http://appserver.example.com:8000/identity-tests/login.php $res = $req->getResponseBody(); # this is a hack $pos = strpos($res, 'boolean=true'); if ( $pos === false ) { # if the string 'boolean=true' was not found in the response, our cookie is invalid, # so go back to the login page. error_log('(main.php) COOKIE WAS INVALID, GO BACK TO LOGIN PAGE'); header("Location: $LOGIN_PAGE"); return; } error_log('(main.php) YOU ARE A VALID USER, WELCOME TO OUR CONTENT'); ?> <html> <body> <p>Welcome valid user.</p> <p>Here's my protected content. :)</p> <p><a href="info.php">the (unprotected) info page</a> <br/><a href="logout.php">log me out</a></p> </body> </html>
I can't think of anything to add to this discussion that I didn't already mention in the introduction or document within the code, so I'll leave it at that for now.
I'll leave you with one additional link though, this one being a link to a page that documents some of the OpenSSO REST identity service calls that you can make. This page essentially documents the OpenSSO identity service API, and unfortunately finding that page was harder than writing the code.