Forums
This topic is locked
url parameter protection
Posted 18 May 2008 22:40:12
1
has voted
18 May 2008 22:40:12 Adam Stockland posted:
I am creating a site using dreamweaver 8, php, and mysql. The problem I am seeking a solution for is this: Even if a page is restricted to a specified user group and a login and password is required to access the page. Once a user is on the page they can simply change the url parameter to access any page as long as that page is restricted to the same user group. So, for instance my site contains models, photographers, and advertising agencies as users. If a model logs in to their control panel......once they are their all they have to do is change to url parameter above to gain unrestricted access to any other models control panel. They could them make the other model FAT with one click of the mouse. How do I restrict access to a page to ONE user......the user who is logged in?Thanks in advance for your help
Adam
Adam Stockland
Replies
Replied 19 May 2008 12:52:46
19 May 2008 12:52:46 Alan C replied:
Hi Adam,
You will probably get other responses, but here's my 10c worth.
Passing parameters via urls uses the GET method - so it just appends the data to the url and of course as you say it's open, completely changeable by anyone with a browser. I struggled with this and wanted something much more secure, I started from a tutorial that I found on evolt.org about login and access level to pages and worked from that, writing my own. Yes i know that's a lot of work, but I end up knowing just how it works. The way that I pass parameters from one page to another is via the session variables, and, just to make that even more secure I put the parameters into an associative array whose keys are md5 digests of the actual keys, and those are generated immediately before use and used only once, it's that md5 that is sent as the url parameter.
That means that even if the user is logged in and using the system but changes the url parameter it's very unlikely to match, sounds complex but it was not very difficult to implement.
I think passing your parameters via the session is the way to go because those are never exposed to view.
Hope that helps
You will probably get other responses, but here's my 10c worth.
Passing parameters via urls uses the GET method - so it just appends the data to the url and of course as you say it's open, completely changeable by anyone with a browser. I struggled with this and wanted something much more secure, I started from a tutorial that I found on evolt.org about login and access level to pages and worked from that, writing my own. Yes i know that's a lot of work, but I end up knowing just how it works. The way that I pass parameters from one page to another is via the session variables, and, just to make that even more secure I put the parameters into an associative array whose keys are md5 digests of the actual keys, and those are generated immediately before use and used only once, it's that md5 that is sent as the url parameter.
That means that even if the user is logged in and using the system but changes the url parameter it's very unlikely to match, sounds complex but it was not very difficult to implement.
I think passing your parameters via the session is the way to go because those are never exposed to view.
Hope that helps
Replied 19 May 2008 19:55:09
19 May 2008 19:55:09 Adam Stockland replied:
Thanks Alan -
I did change over to SESSIONs. Not sure why I didnt go that route in the first place. Thanks for the link to evolt.org.....Ill see if I can find that tutorial....Id like to use some encryption.
Adam
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Hi Adam,
You will probably get other responses, but here's my 10c worth.
Passing parameters via urls uses the GET method - so it just appends the data to the url and of course as you say it's open, completely changeable by anyone with a browser. I struggled with this and wanted something much more secure, I started from a tutorial that I found on evolt.org about login and access level to pages and worked from that, writing my own. Yes i know that's a lot of work, but I end up knowing just how it works. The way that I pass parameters from one page to another is via the session variables, and, just to make that even more secure I put the parameters into an associative array whose keys are md5 digests of the actual keys, and those are generated immediately before use and used only once, it's that md5 that is sent as the url parameter.
That means that even if the user is logged in and using the system but changes the url parameter it's very unlikely to match, sounds complex but it was not very difficult to implement.
I think passing your parameters via the session is the way to go because those are never exposed to view.
Hope that helps
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Adam Stockland
I did change over to SESSIONs. Not sure why I didnt go that route in the first place. Thanks for the link to evolt.org.....Ill see if I can find that tutorial....Id like to use some encryption.
Adam
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Hi Adam,
You will probably get other responses, but here's my 10c worth.
Passing parameters via urls uses the GET method - so it just appends the data to the url and of course as you say it's open, completely changeable by anyone with a browser. I struggled with this and wanted something much more secure, I started from a tutorial that I found on evolt.org about login and access level to pages and worked from that, writing my own. Yes i know that's a lot of work, but I end up knowing just how it works. The way that I pass parameters from one page to another is via the session variables, and, just to make that even more secure I put the parameters into an associative array whose keys are md5 digests of the actual keys, and those are generated immediately before use and used only once, it's that md5 that is sent as the url parameter.
That means that even if the user is logged in and using the system but changes the url parameter it's very unlikely to match, sounds complex but it was not very difficult to implement.
I think passing your parameters via the session is the way to go because those are never exposed to view.
Hope that helps
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Adam Stockland