Hi there;
I've been working with another frontend for Zabbix (simplified from the PHP Frontend) which is based entirely on the API, even the login mechanism. I've been implementing some listings and reports, but due to a deadline looming closer each day I was rushed for an integration : given that the user logged in the application is the same user in the frontend, how to show a screen from the php frontend inside an iframe in my application, preserving user rights (that is, no guest access, and showing a user only what he/she has permission to view)?
Snooping around I found out the session ID (the sha1 hash) that the API returns to you after an authentication is the same used on the PHP Frontend, which is stored in a cookie (zbx_sessionid). Since Zabbix and the application can run in different hosts, I needed to authenticate an user from the application on the PHP frontend. Setting cookies to another domain is totally out of question, so, how could I possibly solve it?
Here's how I did the quick and dirty way.
Basically my application implements an HTTP redirect to this file, in the same domain as the PHP frontend. Since I can't set a cookie from the application host, I set the cookie from the host where the Zabbix frontend is, then I redirect it to the page that the user should view.
I have some thoughts about it:
- Is there a way to preserve the view as fullscreen, as if the user clicks a link to show the details of an event, the title bar and the menu stay hidden?
- I don't think this is that much of a security hole, since the user is already logged in and already have a session identifier. Still, you can never know for sure what lurks beyond your network ...
- It would be perfectly nice to validate the session before setting the cookie
I've been working with another frontend for Zabbix (simplified from the PHP Frontend) which is based entirely on the API, even the login mechanism. I've been implementing some listings and reports, but due to a deadline looming closer each day I was rushed for an integration : given that the user logged in the application is the same user in the frontend, how to show a screen from the php frontend inside an iframe in my application, preserving user rights (that is, no guest access, and showing a user only what he/she has permission to view)?
Snooping around I found out the session ID (the sha1 hash) that the API returns to you after an authentication is the same used on the PHP Frontend, which is stored in a cookie (zbx_sessionid). Since Zabbix and the application can run in different hosts, I needed to authenticate an user from the application on the PHP frontend. Setting cookies to another domain is totally out of question, so, how could I possibly solve it?
Here's how I did the quick and dirty way.
PHP Code:
<?php
// Cross-authentication.
// This can authenticate a user in the frontend if there is
// an session id already registered.
// Basically it just [over]writes the zbx_sessionid cookie with
// the 'zbx_sessionid' parameter, and redirects to the page
// contained in the 'destination' parameter.
//
// Usage: /cross-auth.php?zbx_sessionid=e15edd520bc338e9837dc793dffc6ea25716a191&destination=events.php%26fullscreen%3D1
$sid = $_REQUEST['zbx_sessionid'];
$dest = $_REQUEST['destination'];
$url = $_SERVER['http_host'];
if ($sid)
setcookie('zbx_sessionid', $sid);
header("location:$url/$dest");
?>
I have some thoughts about it:
- Is there a way to preserve the view as fullscreen, as if the user clicks a link to show the details of an event, the title bar and the menu stay hidden?
- I don't think this is that much of a security hole, since the user is already logged in and already have a session identifier. Still, you can never know for sure what lurks beyond your network ...
- It would be perfectly nice to validate the session before setting the cookie