4

I have a login protected back office website written in ASP classic running on Windows. Login status is stored in a session variable. I also have a PHP page that should be accessible only to logged in users. How do I check in PHP that the client is logged in to this website?

P.S. There may be multiple users accessing the page at the same time.

Yury Fedorov
  • 14,508
  • 6
  • 50
  • 66

2 Answers2

9

By assuming both PHP and ASP applications share the same domain name, here's a step by step guide.

1 - Create an asp file named sessionConnector.asp.

2 - In sessionConnector.asp, serialize the Session.Contents object into a format that PHP can deserialize, JSON for example. You can use JSON.asp from aspjson. 

<%@Language=VBScript CodePage=65001%>
<!--#include file="JSON.asp"-->
<%
Set JSONObject = jsObject()

For Each Key In Session.Contents
    If Not IsObject(Session.Contents(Key)) Then 'skip the objects cannot be serialized
        JSONObject(Key) = Session.Contents(Key)
    End If
Next

JSONObject.Flush
%>

3 - Create a PHP function named GetASPSessionState().

4 - In GetASPSessionState(), make an HTTP request for sessionConnector.asp by specifying the Cookie header filled with $_SERVER["HTTP_COOKIE"] which must contains identifier of the ASP Session, so ASP can identify the user and the response will vary by user.

5 - After fetching the response (string of JSON), deserialize by using json_decode and look for the ASP session variable. 

function GetASPSessionState(){
    if(stripos($_SERVER["HTTP_COOKIE"], "ASPSESSIONID") === false){
        # since ASP sessions stored in memory 
        # don't make request to get ASP session state if the cookie does not contain ASPSESSIONID
        # otherwise IIS will create new redundant sessions for each of your checks so it wouldn't be a memory-friendly way
        # returning an empty array
        return array();
    } else {
        $options = array('http' => 
            array('method'=>"GET", 'header' => "Cookie: " . $_SERVER["HTTP_COOKIE"])
        );
        $cx = stream_context_create($options);
        $response = file_get_contents("http://mywebsite.com/sessionConnector.asp", false, $cx);
        return json_decode($response, JSON_FORCE_OBJECT);
    }
}

$aspSessionState = GetASPSessionState();
if($aspSessionState["IsLoggedIn"] == true){
    //user previously logged in with the ASP
}
Kul-Tigin
  • 16,728
  • 1
  • 35
  • 64
  • Looks good. But I need a solution for the reverse scenario where the user begins on a PHP page and then is redirected to an ASP page where I need to get the PHP session data. – WilliamK Sep 11 '21 at 23:35
  • 1
    That deserves its own question. The solution would simply be the vice-versa @WilliamK. Let me know if you ask a new question for your scenario, I'll try to help tomorrow. – Kul-Tigin Sep 11 '21 at 23:45
  • 1
    I am banned from asking common sense questions! However I did arrive at a solution by auto-submitting a PHP form to the ASP page. – WilliamK Sep 12 '21 at 00:08
  • 1
    @WilliamK Sorry to hear that. It's better than sharing session between platforms if your current solution works and is sufficient. – Kul-Tigin Sep 12 '21 at 02:21
1

My solution was to auto-submit a webform which works both ways regardless of whether PHP to ASP or ASP to PHP.

On the leading page simply add an OnLoad to the body tag like so:

<body onload="document.xxx.submit()">

Where "xxx" is the is the ID of your form that contains the hidden fields that you want to pass. For example:

<form id="xxx" action="example.asp" method="post">

This will work locally and across domains.

WilliamK
  • 821
  • 1
  • 13
  • 32
  • this also relies on the client to provide accurate information about which session is it in currently. This is a bad practice for security reasons. Best to only trust items from the server. – Matthew Bradford Aug 22 '22 at 13:36
  • If you are filtering form inputs, which should always be done, there will be no security concern. – WilliamK Aug 22 '22 at 20:32