PDA

View Full Version : Automated signups



NaX
04-11-2005, 02:15 AM
I am a PHP web developer and I am looking into the Reseller Hosting packages. I have searched the web and I think WestHost offer the most all round solution. I am not a client but I will be as soon as I am finished building my site.

My only concern is with automation. I don’t like the idea of having to manually creating accounts. So I have come up with a idea were a developer can interface with their reseller control panel form his sign up section of their own website. So if some one signs up with me their account is automatically added. This facility would greatly automate things giving resellers more time to promote there sites and monitor their bandwidth usage and disk space usage. And make things ever more transparent.

In the same vain I would like to offer people the ability to buy domain names from my site when they sign up. So this mean they will have to be able to a search to see if the domain name is available and need to look up whois information.

I informed westhost about my idea form the contact page of their site. 3 days later the ticket was killed without a response. A short response saying that they reviewed my idea and that they are looking into it would have been nice. Something would have been nice. In the same letter I had some questions. They were not answered. This for me was frustrating but I am not posting here to complain.

If WestHost is not already building or offering the facility to automate signups from resellers websites. Here is my Idea. Tell me what you think.

My inspiration for this idea comes form the clickatel.com HTTP API.

You can securely authenticate and request information from them and send SMS’s and using this I have recently created a bulk SMS system for a client using this and it was actually very easy.

This is how it works. Using PHP (you should be able to do this with most server side languages)

Before this you would have a form that the client would fill out and select the package they want.

You authenticate with your Reseller control panel. Securely using HTTPS.


<?
$user = "user";
$password = "password";

$baseurl ="https://yourdomain_controlpanel.com/";

// auth call
$url = "$baseurl/auth.php?user=$user&password=$password";

// do auth call
$response = file($url);

// split response. return string is on first line of the data returned
// example of response: OK: 15d5eiogmk42394d
$sess = split(":",$response[0]);
if ($sess[0] == "OK") {
$sess_id = trim($sess[1]); // remove any whitespace

?>

Your control panel response will be OK: SESSION ID. If you type in your browser the full url ($url) it should display OK: SESSION ID in your browser. Using the file function we are setting the response to a variable. Then we are splitting the OK and SESSION ID and setting the $sess_id variable with your unique session id.

Now if the authentication was successful You would like to create a account using of a certain package.


<?

// The id number of the package. 3 could = your E-PRO package.
$package = 3
$domain_name = ‘client_domain’;
$domain_type = ‘com’;

// any aditional information could also be passed.
// Like if the domain is to be setup with westhost
// or being transfered. I am only focusing on a small part
$url="$baseurl/account.php?sessionid=$sess_id&account=$package
$url.="&domain=$domain_name&domain_type=$domain_type";

// request account setup
$response = file($url);

// split our response. return string is on first line of the data returned
// example of response: ACCOUNT OK: 132
$account = split(":",$response[0]);
if ($account[0] == "ACCOUNT OK") {
echo ‘your account has been successfully created’;
}

?>

This is just one simple example of how you could interface with your control panel form your website. You could authenticate and then request information like whois information. The number of accounts setup today. Or setup a account on a specific VPS. Or setup a subdomain. Any thing is possible, how much would be WestHost's choice.

I would like to see Westhost offer this type of facility to their resellers.
If WestHost did offer this type of facility it would put them heads and shoulder above any other hosting solution I have ever seen.

Tell me what you think.

wildjokerdesign
04-11-2005, 07:12 AM
I voted yes. I am not sure about all the ends and outs and I can see your php skills are way beyound mine. :) My biggest question would be the security of the set up.

I have been wanting to see some developement in the area of the Reseller accounts for some time. I'm sure WH is looking at changes but there is never much talk about it.

Something I actually would like to see developed is an easier way to manipulate the look of the Site Manager/Control Panel used for your clients. I have made some changes but what you can do is a bit limited. You can change images and colors but the actually layout is not available for change. I kind of get the feeling that I may be in the minority here and that most folks aren't as concerned with this.

BTW you may still recieve a reply from the ticket you sent to WH. A ticket can show resolved when it is transferred to another person. Since this would not have fallen under the normal support category it could still be being reviewed but "removed" so to speak from the normal system. I'm a big pest when it comes to sending ideas to WH. :) Some of them get imediate responses and others show back up down the line. I have found that it is best to send seperate tickets for questions. Keeps the focus on one thing and since they send there are diffrent departements and folks that handle diffrent areas it makes sure that something doesn't get lost in the shuffle.

Welcome to WH!

NaX
04-11-2005, 08:44 AM
Security is not a issue as you should be using HTTPS. This means your request will be encrypted so your username and password will also be encrypted.

If WestHost decides to offer something like this they should offer example code for you. And I willing be very will to help with the development of a sourceforge project to make it even easier. I am not the best PHP developer in the world but I would be willing to help as much as I can.

The code is not hard I will walk you through it.

For this example will need 2 files.
The first file you would have a form. Lets call it. sign_up.htm
The second file you have the php code that does all the work. Lets call this file wh_account.php.

The sign_up.htm file is a html form that posts information to your wh_account.php file.
Their would be a text field called domain and dropdown called package.

I have numbered the lines. To make it easier.



<?
1
2 $user = "user";
3 $password = "password";
4
5 $baseurl ="https://yourdomain_controlpanel.com/";
6
7 // auth call
8 $url = "$baseurl/auth.php?user=$user&password=$password";
9
10 // do auth call
11 $response = file($url);
12
13 // split response. return string is on first line of the data returned
14 // example of response: OK: 15d5eiogmk42394d
15 $sess = split(":",$response[0]);
16 if ($sess[0] == "OK") {
17 $sess_id = trim($sess[1]); // remove any whitespace
18 }
19
20 // The id number of the package. 3 could = your E-PRO package.
21 $package = $_POST['package'];
22 $domain_name = $_POST['domain'];
23
24
25 // any additional information could also be passed.
26 // Like if the domain is to be setup with westhost
27 // or being transferred. I am only focusing on a small part
28 $url="$baseurl/account.php?sessionid=$sess_id&account=$package&do main=$domain_name";
29
30
31 // request account setup
32 $response = file($url);
33
34 // split our response. return string is on first line of the data returned
35 // example of response: ACCOUNT OK: 132
36 $account = split(":",$response[0]);
37 if ($account[0] == "ACCOUNT OK") {
38 echo ‘your account has been successfully created’;
39 }
40
?>


Line 2 = the user name for your login
Line 3 = the password
Line 5 = Sets a variable $baseurl of the URL to your Site Manager and the directory that the files are in that you need to request from

Line 8 = sets the $url variable. In the $url variable you put it all together. $baseurl + auth.php + $user + $password.
auth.php is the file on the server that authenticates your username and password. And you are passing your username and password to it using the query string.

Line 11 = this is where you get a response. You pass the file() function your $url variable. And you make this = $response variable.

Line 15 = you split the response into a array and your separator is [:]
OK: 15d5eiogmk42394d is broken up into
array(
[0] => OK
[1] => 15d5eiogmk42394d
)

Line 16 = if array position 0 is equal to OK then
Line 17 = you make the variable $sess_id = array position 1. trim removes white spaces.
Line 21 = Setting $package variable = to the form that you posted (text field package)
Line 22 = Setting $domain_name variable = to the form that you posted (select field domain)
Line 28 = You are setting $url variable again. This time using the account.php file and you passing your session id ($sess_id) and the package and the domain. [look at Line 8]
Line 32 = same as Line 11
Line 36 - Line 39 = Same as Line 15 - Line 18 except you are checking if it is equal to 'ACCOUNT OK' if true print out to page ';your account has been successfully created.'

The file account.php creates the account in your package. This would be the same as you login in and doing it manually.

Please don't try to use this code. I have not tested it and the files account.php and auth.php do not exist on westhost



BTW you may still recieve a reply from the ticket you sent to WH. A ticket can show resolved when it is transferred to another person. Since this would not have fallen under the normal support category it could still be being reviewed but "removed" so to speak from the normal system.


I was not to sure what Category to send to. I sent it to Business Development.

torrin
04-11-2005, 09:09 AM
Security is not a issue as you should be using HTTPS. This means your request will be encrypted so your username and password will also be encrypted.
[SNIP]


<?
[SNIP]
4
5 $baseurl ="https://yourdomain_controlpanel.com/";
6
7 // auth call
8 $url = "$baseurl/auth.php?user=$user&password=$password";
9
10 // do auth call
11 $response = file($url);
12
[SNIP]
40
?>


Line 2 = the user name for your login
Line 3 = the password
Line 5 = Sets a variable $baseurl of the URL to your Site Manager and the directory that the files are in that you need to request from

Line 8 = sets the $url variable. In the $url variable you put it all together. $baseurl + auth.php + $user + $password.
auth.php is the file on the server that authenticates your username and password. And you are passing your username and password to it using the query string.
[SNIP]


Are you sure there is no security issues? It looks like you're passing the username and the password in the URL request on line 8. That seems like a huge security issue to me regardless of protocol. If for no other reason, the username and password will end up in the apache log file.

I'm not a reseller, so I probably wouldn't have much use for it, but it would be very interesting to play with though.

NaX
04-11-2005, 09:18 AM
When you call the file() function apache will act like a browser and setup a https session with the url you pass it. I stand to be corrected but I think https uses openSSL.

And if you put that url into your browser you should get a little lock in the corner. Showing that it is a secure connection.

Another thing is that if your site is running on the WestHost network their will be the added security because the connection will be between to servers running on the same internal network and will never go onto the internet. This is a different story if your site is not on the westhost network. If your site sits on the same VPS. Then it will be connecting to its self and it is even more secure.

I am not a network specialist but this is how I understand things to be.

Take a look at the clickatell code

http://www.clickatell.com/downloads/sample/Clickatell_sample_code.pdf
http://www.clickatell.com/downloads/http/Clickatell_http_2.2.4.pdf

This is the code that I got my idea form.

j103c
04-11-2005, 11:09 AM
I would be very careful to assume the requested URL is encrypted in an SSL transaction. That is not my understanding of how the protocol works. The URL request is made before SSL negotiation has taken place.

This is why most major sites do not place the username/password in the URL request string, and instead use some other combination of data in the query string to identity the user for that session.

NaX
04-11-2005, 11:25 AM
I would be very careful to assume the requested URL is encrypted in an SSL transaction.

If this was the case then their would be no point to SSL



"what does ssl encrypt?"

This question is usually geared toward whether or not the path and query string is encrypted in an HTTPS "get" request (this is where form field responses or program variables are tagged on to the end of the url). These fields are stripped off of the URL when creating the routing information in the https packaging process by the browser and are included in the encrypted data block.


This is a quote form www.ourshop.com (http://www.ourshop.com/resources/ssl_step1.html)

ALSO

If you look at the Clickatell_http_2.2.4.pdf page 3



It can be used either in the form of a HTTP POST, or as an URL (GET).
.......
Communication to our API can be done either via HTTP on port 80 or HTTPS on port 443.

j103c
04-11-2005, 11:59 AM
I would be very careful to assume the requested URL is encrypted in an SSL transaction.

If this was the case then their would be no point to SSL

Perhaps I should have been more clear. I did not mean the entire content behind the URL request, I meant the URL string itself.




"what does ssl encrypt?"

This question is usually geared toward whether or not the path and query string is encrypted in an HTTPS "get" request (this is where form field responses or program variables are tagged on to the end of the url). These fields are stripped off of the URL when creating the routing information in the https packaging process by the browser and are included in the encrypted data block.


This makes sense (I don't have time to hunt through the official RFC to verify), but if I was shopping on your site and noticed you were passing around my username and password in the URL string, you would lose me as a customer.

However that scenario is probably irrelavant to this thread, as you noted that the requests would be made between WestHost servers, so a man-in-the-middle attack or leaving traces in logs would be a lot less likely.

NaX
04-11-2005, 01:29 PM
The thing is you would not see the username and password in the query string using the file() function apache makes the connection not the clients browser. Then pass the information back to your script.



When you call the file() function apache will act like a browser and setup a https session with the url you pass it.

Try it for your self. Create a file with the following code. I called it file_function.php.
Then put it onto your server and open the file in your browser.



<?php

if ($_GET['site'] === 'google') {

$site = file('http://www.google.com/search?q=php+ssl&sourceid=opera&num=0&ie=utf-8&oe=utf-8');
echo('This is the site you asked for<br>Look at the URL is the google query string showing.<br><br>');
echo '<pre>';
print_r($site);
echo '</pre>';

}else {
echo 'you did not select a site try typing file_function.php?site=google or <a href="' . $_SERVER['PHP_SELF'] . '?site=google">click here</a>';
}

?>


Then Look at your browser address bar. Compare that to what is in the code line 5.