3

I have been doing some research on this the past couple days and have yet to find a solution. I have seen suggestions that include the php Exec() function to call an outside application to handle this. I have been looking for a tutorial like this one for a PHP based site - http://securitythroughabsurdity.com/2007/04/implementing-smart-card-authentication.html. Any advice or guidance on this would be greatly appreciated.

Thanks, Jerry

Edit - I was checking this post out How to make php application to require smart card authentication but it does not pertain to my goal. Can the SSLVerifyClient require be used with a Smart Card?

Community
  • 1
  • 1
Jerry
  • 31
  • 2
  • I think you'll need to have the web server handle the X.509-certificate based authentication and pass the user credentials to the PHP script as a server variable. The client's private key could be stored on a smartcard, but of course the web server has no direct control over that. – Borealid May 03 '11 at 14:41
  • Thanks for the response. Unfortunately, I don't manage the server the site is hosted on, so I have had a lot of obstacles. – Jerry May 05 '11 at 15:42
  • What sort of interface / device do you have to get data from the Smart Card? I built an app several years ago that used a magnetic card for authentication. There are [devices](http://www.google.com/products/catalog?q=magnetic+card+reader&um=1&ie=UTF-8&tbm=shop&cid=9253952205062488166&sa=X&ei=gz8cT_2rD4-ctwfBzPSoCw&ved=0CIwBEPMCMAA) which act like a keyboard so you swipe the card through that device while the mouse focus is the text input of some form. Perhaps something similar would work here? – quickshiftin Jan 22 '12 at 16:56

1 Answers1

1

We use smartcard solutions in Estonia a lot because of national ID support in many places. I think you look bit confused by something - you do not need exec(). What you need, is to configure your web server (IIS in this case) to request client for certificate. This has nothing to do with PHP. This can be done based on path, subdomain or like this and this can be optional or required. For example we often configure subdomain a la http://id.foobar to be accessible with ID only. Chipcard is just carrier for certificate and keys. Usually this is anyway "client based certificate" and google for it. It is possible to configure mandatory or optional client certificate requirement. Mandatory is safer because people without ID card have no chance to see anything on your server. But this has also downside - they also cannot see any error messages from you. We often use optional requirement. On PHP side you just receive some sort of environment variable. You need to check for his contents. You get what you search for by Googling for SSL_CLIENT_S_DN. This is the name of variable you get when using Apache web server. About IIS I know nothing but fundamentals are same, just variables and configuration options are named different.

Tõnu Samuel
  • 2,877
  • 2
  • 20
  • 30