1

I have created a simple classic ASP script that will take a username and password from a post and create session variables. This script works fine if i use a standard html form and redirect to this page. I have a php site and I want to log users into both websites when they log into the php site. To do this i wanted to add a curl request to the login script in php. This would send the password and username over to the script and create the session variables. The response i get from the curl request would suggest that it worked, but it doesnt seem to be saving the session.

Here is the curl request. 

$postinfo = "username=".$username."&password=".$password;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,  2);
$result = curl_exec($ch);
curl_close($ch);
var_dump($result);

I dont want to paste the full asp script, but this is roughly how it works. The session persists when i login using a html form so i know its working correctly. When the curl request is finished executing it seems that the session variables are populated, but when i visit another page the session does not exist. 

'do some stuff with the db to check if the credentials work.
if success = true then
    Session("userid") = userid
    Session("login") = "good"
    Response.Write("Login successful - " & Session("userid"))
else 
    Response.Write("Login Failed")
end if

When i run the curl request the response is "Login successful - 123". This means not only is the login working, but its also setting the session value. The problem is that when i try to visit the asp site it does not detect any session data.

I have verified that the all links are pointing to https://www.website.com. Both websites are under the same domain name, just 2 different subdirectories/languages. They are both running on the same server.

user692942
  • 16,398
  • 7
  • 76
  • 175
Dan Hastings
  • 3,241
  • 7
  • 34
  • 71
  • Notice it points to a `https` url does the initial login request also happen over https *(it certainly appears to judging by the php code)*? If not check that [`New ID on Secure Connection` is not set to `True`](http://stackoverflow.com/a/23266202/692942) in the ASP session properties. Ideally though any login request should happen over https, if this isn't the case it should be. – user692942 Oct 04 '16 at 10:51
  • Yes, the PHP script is running on https too. I checked the settings and "New ID on Secure Connection" = true. I made sure that all php and asp scripts are https://www as i know the sessions dont get shared across https/http and subdomains. Should i disable new ID on secure connection? – Dan Hastings Oct 04 '16 at 10:55
  • I would at least try it to see if there is a problem with the session thinking its switching between a unsecure and secure connection. Don't worry about the PHP script that will not effect the session management but the ASP login script will. That will need to run in the same domain with https for the session to persist if you don't disable the new id setting. – user692942 Oct 04 '16 at 11:04
  • How did you get on? – user692942 Oct 04 '16 at 14:23
  • still no luck. to rule out ASP as being the cause i tried to do the same thing using php and sessions were still not getting saved correctly. I even went as far as to making the script output the absolute url and it matches everything that i want to call it from. the script returns that it is running under https://www.website.com and this is what i want yet the session isnt saving. – Dan Hastings Oct 04 '16 at 15:08
  • Perhaps the issue is cookies? – user692942 Oct 04 '16 at 15:12
  • the site doesnt use a remember me cookie at the minute so it shouldnt be getting overridden. ive moved this to just be 2 test scripts. could cookies be getting in the way in some other indirect way? ajax is my last hope, but i dont like the idea of having to have the users password in plain text within the html source. – Dan Hastings Oct 04 '16 at 15:17
  • ASP `Session` object still uses a "Session Cookie", if this is being blocked it won't remember the session and create a new session context. – user692942 Oct 04 '16 at 15:36
  • Are you not setting the session anywhere else in any other include? – pee2pee Oct 06 '16 at 14:09
  • neither the php script or the asp have any includes to any other files. i was able to get this to work with ajax though. in the exact same php script i added the jquery to perform an ajax post to the same url with the same variables and this worked. the response was the exact same except the session data was persistent. still i am very uncomfortable with using a plain text password in the html source for the page – Dan Hastings Oct 06 '16 at 14:37

0 Answers0