Is there a way to save a "Client ID" trough PHP? - php

I have to build a (PHP based) landingspage that is used on WIFI access points (HP Aruba). The requirement would be: "If already filled the form for access, just show www.google.com (without loging in or something), if not, show them the form".
I would have done that by registering their MAC adresses, but I found out that was impossible trough PHP.
Do you guys have any idea of how I could achieve this?
Thank you already !

Easiest way is probably setting a cookie that 'this' user has been authenticated and redirect them to another page.
Another possibility can be https://github.com/Valve/fingerprintjs2 that allow you to create a 'fingerprint' of a user. This you could save in your backend and compare it next time the users comes to your page.
EDIT, I linked to fingerprintjs, but there is a new version, fingerprintjs2

Related

Making of Referral System

I'm currently working on my Referral System, but I have a problem with protecting it of frauds.
Okay, here's how it works for now:
user registers and activate it's account
user now have access to the control panel and there is it's uniqe link in following format: domain.tld/ref/12345
when someone other click to user's link, he or she must to click a specific button to confirm that is not some kind of fraud (like "click here, you'll get $100" or something)
system writes visitor's IP in a database and some data to cookies to prevent re-pressing the button. User now have +1 point.
But, the problem is that visitor can change it's IP, clear cookies and hit button again. It takes a few seconds, and that's not OK, that's cheating.
How to prevent it? Is there some trick to get some unique computer ID or something can't be changed that easy?
Really the only options are to tie the process to something which is not so easily manipulated by the user - super cookies, browser fingerprints, OpenID, Email addresses and telephome numbers (the latter 2 using some sort of validaton step before a vote is counted)
The only way you can be certain a referred party does not reuse a referral code is for the original user to send different one-time-use-only referral URLs to each person. Once the code has been used, it is flagged as such in (or removed entirely from) your database so that it can not be used again.
How you prevent the original user from sending multiple links out to the same person is another matter - and not an easy one to resolve.
Who do you perceive to be the threat?
Although it's certainly not 100% accurate, you can still fingerprint visitors using for example a combination of their ip, browser user agent, and with some javascript you can even go for screen size or installed fonts. Using these pieces of information you can set up a system where you save the fingerprints in datatable and in the same record you store the session id (from the cookie). Now when a new visitor arrives you can test their fingerprint against the db of recent fingerprints with different visitor ids. If you find a large number of matching fingerprints (you define the threshold) with different sessions then you can alert for the possibility of fraud.
Cheers
How about storing the link with with the user when they navigate to the link. then in the database you will have the link and if the users has already been to the link then deny them. Seems like it could work then you wouldn't have to worry about the cookies etc...

PHP Guest Access to Website

I have a PHP project is essentially an order processing website for a company. Each user in the company has access to this website and is given certain credentials to the application that control access to pages and functionality throughout.
Now I have a request to allow a guest access to a single page. The complexity of this request is that the guest will be different each time as well as the page will be different. Basically it is a portal to allow customers, who don't have accounts within the system as there is no live ordering on this site, to be able to access and verify the order and shipping information.
My thought to accomplish this is to have a database table setup as a guest relationship table that will be used to store UIDs, MD5 Hash Keys and the destination page that the record is referring to. Also included would be a visit counter and expiration date. When the user receives an email they would have a link provided in the email to somewhere like http://website.com/verify/?HASH-KEY.
When this link is clicked I expect that the verify index.php page takes in the HASH, verifies it in the database and displays the page reference in the database within this location instead of redirecting into the application. This would allow guest access to the single page without the need to expose the structure of the website or a rework of the user authorization already setup.
Am I approaching this solution in the proper manner?
How do I grab the contents of one page and display it in another?
1. Am I approaching this solution in the proper manner?
Yep, more or less.
Some pointers:
Make sure you seed hash generation randomly. For example, DON'T simply MD5 a customer ID or some other small/sequential number, as that would make it easy for a malicious use to hunt down other pages.
Expire the hashed links after a set time out.
2. How do I grab the contents of one page and display it in another?
If you want people to "access and verify the order and shipping information" you should probably create a page specifically for it, instead of trying to pass through normally secure pages to insecure guests. Ie, a 'shipping confirmation page' that populates details according the data keyed by the supplied hash.
I'm trying to a follow this as well as I can.
It seems to be you should use your hash method, and just have a stand alone page that will generate the content you want, totally separate from the rest of the system. Just put enough data in your hash URL to determine what is needed.
Something else to do is use a timestamp in your hash string URL and have that timestamp part of the random bits that you generate your hash on. This will allow you to make a URL essentially "expire" after a certain point.
Example: url.com/in/123456789865/hash-here
You can compare "123456789865" in this example to the current server time and determine if its expired. Of course you need to make "123456789865" part of your hash encryption to still validate
If I understand you correctly (and I think I do), than I think you're approaching this correctly.
To include another page's contents, you usually use include.
include "/path/to/page.php";

Redirect after user switching (impersonating) in Symfony 2

I searched everywhere but it seems impossible thing to do.
I was able to catch SwitchEvent coming from SwitchEventListener and get both impersonator and target user objects (one being impersonated as) but I would really like, based on target user roles to redirect request to some other URL.
Example:
I have two restricted areas: "/basic" and "/elevated" where first one requires ROLE_BASIC and the other one ROLE_ELEVATED role. Now, if I am currently logged in as ROLE_ELEVATED user and want to switch to some ROLE_BASIC user using URL:
/basic/?_switch_user=some_basic_user
that would result in AccessDeniedException, and I'm forced to navigate first to:
/?_switch_user=some_basic_user.
Only after that I can navigate to /basic as token has been written to session.
Now, the question, as subject suggests: Is there any way to redirect user using SwitchEvent (or any other) after doing user switching?
Ok, I finally got access to my dev computer and looked up the the solution to this problem.
And, I got to say, it is not as clean as I wanted it to be but delivery date was critical and this was the only way to achieve it back then.
So, what I basically did was to send AJAX (although, I set async to false) request to URL /?_switch_user=some_basic_user, wait for an answer and if it was successful I would navigate forward to /basic/?_switch_user=some_basic_user URL. I know, it's quick and dirty, and is pretty much unreliable...
Hope this helps....
You can just generate the right link to begin with:
...
Of course, the URL can be generated by twig's path helper too:
...

Should I use sessions for "LOGINS" on my site?

I have a classifieds website, where anyone (no need for login currently) can post a classified. It is PHP based.
The procedure for posting is currently like this:
click on "New Classified" --->
fill in a form of all information and hit "View classified before publishing it" --->
the form submits to a "verify classifieds" page, where users verify their inputs --->
If everything is okay in the "verify" page, then the user hits OK and the classified is published.
The above procedure isn't exactly optimized. The first page (new_classified) where the form is, is pretty good, but the second page (verify) uses x number of hidden inputs in another form, used to contain the previous pages form inputs.
Now you know how it works on my site.
The issue today is that alot of companies want to publish their classifieds, and alot of classifieds at the same time. This means they have to fill out the form again and again currently.
I am thinking about creating a login, for companies only, so that their information is automatically inputted into the form, so all they would have to do is fill out the specific classified details like "headline" and "description" etc.
How should I do this in my case? Sessions?
This means I will have to create a new MySql table (I use MySql mainly) and store company-profiles there.
So do you think converting to sessions is alot of work? Worth it? More reliable?
I have never used sessions so I wouldn't know.
As a last note, you should know that I use a picture upload tool on the first page of "new_classified". When a user choses a file to upload, the page is automatically *refreshed*, and then the image is displayed on the same page under section "images uploaded". I hope the session wont interfere with this approach.
Thanks
I think it is worth your while to do logins, and even on a very basic level it will help you to identify who is using your site etc.
This is probably a big debate around developers, what is the best way to do a good login system, whether it's basic or not doesn't matter, I think the concepts still stay the same.
In your case I would suggest session cookies along with a login table consisting of user details. This would help you to verify the user on more than one occasion during his/her visit to the site.
A login is checked against a user entry in a table and then a session cookie is created. This session you can choose to never expire also.
You can then on every step check that the user is the user that is supposed to be logged in and get the companies details by checking the username. This would make for a better query in my opinion.
Sessions aren't a lot of work and it's relatively easy to learn.
http://www.php.net/manual/en/book.session.php
http://www.9lessons.info/2010/02/php-login-script-with-encryption.html is a good example of what you can do with this. Have a look around still. There are a bunch of these great tutorials on the web.

Check when page changed

I'm new here, also a novice programmer, and not really familiar with PHP. I don't even know the name of some of the techniques I used when building my apps. I'm sorry for that, but I'll try to explain the best I can.
So I'm building a web apps with PHP / AJAX right now, and I've got to the point where some users (with their own privilege) have their own home page, which shows notification for them when something new happened in the system. I think I used the "get" method from the url to determine which page is the user in right now.
Here's a simple illustration :
A user with "Staff" privilege logged in, and then redirected to his home page. (http://localhost/apps/staff.php)
He open the notification page, and the url changes to : "http://localhost/apps/staff.php?cmd=notification"
I don't know the name of the technique, but here's how I do it : I get the cmd value using "$_GET['cmd']" and then pass it onto a function that checks what page to display.
The problem is, I want to delete the content of notification table and move it to the history table when the user leave the page so only the newest notification will shows. So I think I need to know when the user leave (move) to another page, or when the cmd value change. My question is, how ?
Ps. I'm still a student on a university so this is my homework. Please just point me on a direction and/or clue rather than write the code for me (and a clue to the name of that "get" technique is welcomed :p). I know I still got a lot to learn, but english is not my native and I've tried google and stackoverflow with no result (I believe it's because of my bad english and not knowing the name of the techniques I used).
Use a cookie to track the status of the notification.
See this thread for more info: Best way to show an admin message to certain users?
You can check if user went to notification (after his default user page) page like this:
if (isset($_GET['cmd']))
{
// delete old notifications
// and move to history table
// show new ones now
}
This checks if query string value cmd is there, he has moved to notification page.

Categories