Obscuring a username with mod_rewrite - php

I have a website that serves up various information for users who have accounts on it by accessing information listed under a username and a category. Using the variable names, u and c, the url looks like this:
www.originalwebsite.com/user.php?u=username&c=43
I want a user-defined custom domain to remove any evidence of a username variable or variable name. Other variables (like category) are fine to remain. Ideally, this would result in the following link pointing to the one included before:
www.customdomain.com/c=43
My reasons being that the custom domain would be unique for the user and, therefore, would be remove the need to specify the user (in theory, not in practice so far) as well as presenting the site from a custom domain in a manner that looks like a single site, rather than the portal like options of the original.
I can get www.customdomain.com/u=username&c=43 to work but am trying to think of the best method to remove reference to the username when using the custom domain (both the variable identifier and the variable itself). I'm struggling to think of how I'll inform the original website of what user account to use if it's not mentioned in the url itself.
At the moment my best idea is to let user.php handle this with a condition of whether the request is from originalwebsite.com or a custom domain. If finds that it's the latter, it checks it against a database listing and finds the relevant user settings discreetly. This feels like quite a slow procedure, however.
If my example is not clear, think of sites like Tumblr, where you can add a custom domain and, from that point on, urls make no reference of your user name.

From some discussion here and further research, it seems as though there's no quickfire way of doing this. It looks like I'm stuck with either keeping some form of reference that can identify a username in the url, using a cookie or sticking with my original idea of referencing the custom domain against a database to find the appropriate user and settings.
I've gone with the database referencing option as I need to remove references to any username from the url and I can't always rely on cookies. I need a 100% success rate of correct redirection.
I've changed my user.php file to check if the request has come from originaldomain.com or newdomain.com. If it's from originaldomain.com, it looks for a username variable in the url as it should have one for any user that doesn't have a custom domain. If it comes from a different domain, it checks to see if this domain is listed in the database and finds the user from this. There's a few catches that I'll need to trial but I've got 90% of the issue solved.

Related

Is it safe to use variable session data?

I have a (hopefully) quick question regarding sessions. Whilst I have used sessions extensively, I have not used them in a situation whereby the values change depending on a users actions.
After logging in to my application, a user can select a company area, which has many levels of pages and folders. All of these pages will need this 'company_id'. At the moment I send the company_id via GET, but as I get deeper into the application this is becoming increasingly hard to maintain, with various other data being stored in the URL.
Therefore, when a user selects their company, I could set their company_id in $_SESSION array. However, when a user changes company, I would then need to change $_SESSION['company_id'] to the new value.
Is this a good use of sessions? I could potentially clean up my urls by using session data rather than always using GET, but I am unsure if this is a recommended way of using sessions.
Thanks in advance
This is a bad implementation of the HTTP design philosophy. All HTTP requests should be self contained, RESTful. All information needed to get a specific page should be present in the request itself (URL, headers and body), not dependent on hidden state.
Super trivial example: you can't copy a URL to someplace or someone else and have them see the same page. The content of the page is dependent on session state, which has been laboriously set through the visit history of several previous pages. To return to this same page, you need to retrace the same steps, recreating some hidden server-side state to arrive at the same page.
This gets even more complex and messier if you take into account that a visitor may want to open pages requiring different states in two or more simultaneous tabs/windows.
All this isn't to say that it can't work, only that it's hideously complex and will break the usual expected behaviour of browsers, unless you really bend over backwards to somehow prevent that.
If the many levels of pages and levels are per-company, you can put the company_id in a specific include file - this part of the site being dedicated to a given company.
However if they're shared by multiple companies, and this is probably what you want, this is potentially misleading, or even dangerous depending on the user actions, since the user may jump to a given page (link...) and access a page with unexpected data linked to a company which ID is provided by the session or cookie.
You could dynamically build the links on a page, based on IDs, to ensure consistency during the navigation from that page. Any direct "jump" to another part of the site will not carry the ID with it (and the page may offer to select a company).
Depending on your web server and if you have control over it you could build the URL having "company ID" as an element of the URL path, not the GET parameters
Eg
http://example.com/invoicing/company382/listprices.php
using a rewrite (web server configuration) to change the URL to be actually used to
http://example.com/invoicing/listprices.php?compid=company382
(URL not visible to the user) that informs of the company ID via the GET parameters.

carrying custom wordpress query variable throughout session

I'm creating a wordpress site that needs to have two distinct versions. The changes in the two are only frontend, and will be very minimal so I don't want to create two separate sites.
Instead, I'd like to pass a query string along that dictates whether or not to serve the prop version.
People will access the prop site by going to http://example.com/?prop=1. Once they're there, I need that "prop=1" to be carried over when they click any link on the blog. I could do this by hand in all of the templates, taking all the links and making sure to append that query to them, but I'd like to do it in an automated way.
Basically, if that query var is there, carry it through to any links that person clicks on the site. If it's not, then serve regular links. I'm also open to using session variables, but someone should be able to visit the prop and regular sites at the same time in separate windows, so I'm not sure if that will work.
Your can try this solution - htaccess rewrite
or a redirect plug-in
basic idea will be using RewriteCond %{HTTP_REFERER}
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted. - php.net
http://www.php.net/manual/en/reserved.variables.server.php
if the current request has ?prop=1 then it will append ?prop=1 to the end , else nothing happens.
once user enters ?prop=1 mode they won't be able to leave it unless ?prop=1 is removed

user profile page generation

I am developing a dynamic website using PHP. When a user of the website creates an account, a profile page should be created for that user. Say, a user called 'dev23' creates an account on my website, his profile should be accessible through the link www.mysite.com/dev23
How do I create such a thing? Should I create a standard page like userprofile.php which is populated with data specific to the username provided? Or should I create a permanent webpage for every user?
Please let me know the right approach to this porblem.
Is the www.mysite.com/dev23 meant to be public or only visible to the logged in user?
If it is only visible to the logged in user, you can create a myprofile.php file which retrieves the logged in user from the session and retrieves data accordingly.
If it is meant to be a URL that other users can hit, you probably want some sort of userprofile.php page with data passed along to identify the user to be viewed. For example, the url might be www.mysite.com/userprofile.php?user=dev23. If you are using Apache for your web server, you can look at using mod_rewrite to make the URL prettier. Thus, you could have the URL www.mysite.com/user/dev23 routed to userprofile.php?user=dev23 and your PHP processes the same. It is just a means of making URLs be more user friendly than a naked query string. This is common amongst many PHP-based CMS systems such as WordPress, Joomla, etc.
Ideally you should be creating a single file that handles all users.
Certain frameworks like SkyPHP allow this by defining the attributes after a valid page as "queryfolders" which can be used much like GET/POST variables.
If you are not using a framework, I might suggest you look into using one to simplify your tasks.
SkyPHP also has a functionality where a single field in a table can be used to pull this data simply by defining the page as _table.field_name_
It will check to see if there is a matching table and field to pull the data from and will automatically pull the id of the record whose field's value matches that of the url and assign it to a variable.
Example... If we have a table called category and a field named slug, one would create a page named _category.slug_.php
Then the url... http://mydomain.com/watches would look for "watches" in category.slug and pull back the identifier of the record as $category_id with $category_slug available also.
It would solve your issue if you are willing to give it a shot.
Again refer to the documentation here... http://switchbreak.com/skyphp

PHP Guest Access to Website

I have a PHP project is essentially an order processing website for a company. Each user in the company has access to this website and is given certain credentials to the application that control access to pages and functionality throughout.
Now I have a request to allow a guest access to a single page. The complexity of this request is that the guest will be different each time as well as the page will be different. Basically it is a portal to allow customers, who don't have accounts within the system as there is no live ordering on this site, to be able to access and verify the order and shipping information.
My thought to accomplish this is to have a database table setup as a guest relationship table that will be used to store UIDs, MD5 Hash Keys and the destination page that the record is referring to. Also included would be a visit counter and expiration date. When the user receives an email they would have a link provided in the email to somewhere like http://website.com/verify/?HASH-KEY.
When this link is clicked I expect that the verify index.php page takes in the HASH, verifies it in the database and displays the page reference in the database within this location instead of redirecting into the application. This would allow guest access to the single page without the need to expose the structure of the website or a rework of the user authorization already setup.
Am I approaching this solution in the proper manner?
How do I grab the contents of one page and display it in another?
1. Am I approaching this solution in the proper manner?
Yep, more or less.
Some pointers:
Make sure you seed hash generation randomly. For example, DON'T simply MD5 a customer ID or some other small/sequential number, as that would make it easy for a malicious use to hunt down other pages.
Expire the hashed links after a set time out.
2. How do I grab the contents of one page and display it in another?
If you want people to "access and verify the order and shipping information" you should probably create a page specifically for it, instead of trying to pass through normally secure pages to insecure guests. Ie, a 'shipping confirmation page' that populates details according the data keyed by the supplied hash.
I'm trying to a follow this as well as I can.
It seems to be you should use your hash method, and just have a stand alone page that will generate the content you want, totally separate from the rest of the system. Just put enough data in your hash URL to determine what is needed.
Something else to do is use a timestamp in your hash string URL and have that timestamp part of the random bits that you generate your hash on. This will allow you to make a URL essentially "expire" after a certain point.
Example: url.com/in/123456789865/hash-here
You can compare "123456789865" in this example to the current server time and determine if its expired. Of course you need to make "123456789865" part of your hash encryption to still validate
If I understand you correctly (and I think I do), than I think you're approaching this correctly.
To include another page's contents, you usually use include.
include "/path/to/page.php";

How a site can tell whether a user inserted their own values in the URL

I am very curious because I would like to be able to check this myself on my own site, as I am currently in the process of designing it. An example would be:
www.somesite.com/product.php?id=1356
When using Facebook, a user can change it and they get the user associated with this id. But in other sites, specifically Ecommerce sites, when I change it, it either fails or goes to the homepage.
There isn't any way to see if the user changed it. This is part of secure coding. From the server's perspective, you need to validate all of your inputs, and validate that the current user actually should have access to the resource they're requesting.
See https://www.owasp.org/index.php/Top_10_2010-A4 for some additional details and examples.
Facebook may seem to allow this only for the example that you've given because the user profile ID that you're attempting to access may be public to you. However, you won't have access to all other user profiles - only user profiles that you have permission to access. If you tried to access my Facebook profile ID, you would also see your access be denied here.
Since this is tagged as e-commerce, you should also be aware of the PCI DSS if you aren't already - where 6.5.4: "Insecure direct object references" applies specifically to this scenario.
When using Facebook, a user can change it and they get the user associated with this id. But in other sites, specifically Ecommerce sites, when I change it, it either fails or goes to the homepage.
Facebook does the same thing.
https://www.facebook.com/profile.php?id=102934810293841029348 goes to an error page titled "Profile Unavailable", because that ID doesn't exist.
You're likely just changing it to nonexistent IDs.
That works via $_GET method (or $_REQUEST)...
The reason you can change some site id (or any other parameter which is part of the url), and it works, is that because they programmed it to behave like that. It actually depends of how this url parameter is used in the background. For example, in product.php you will have something like this:
if(isset($_GET['id']) {
$id = $_GET['id'];
$id = filterid(id)..... and so ...
// Maybe check for id and redirect if id is not ok
// Maybe check for id and some additional secrete parameter ...?
// What is the id? What kind of behavior you want?
}
Reason why you have different behaviours across different websites - in dependence of url parameters (in this case "id") - is because different behaviours are implemented under different circumstances...
Some of them implement strict checks (especially for id's) because of the security!? For example, if you have page and you know that your id must be a number, and you know, that the max id in your database is for example 15000, you can write something like this....
if(isset($_GET['id'] && strlen($_GET['id']) <= 5 && isNumeric($_GET['id']) {
//if everything is ok you can execute your code here
}
else {
$id = 1; //if someone try to put something else in id, you will simply redirect him on first id(firs product)
}
That is just one example of behaviour. Now consider what else can be done? What do you want to do? How do you want it to behave? What kind of behaviour you will implement on your side - in dependencie of the parameters within the url is to totally up to you. User can follow up your logic on your web app by clicking on your predefined links - or he can manipulate with the url how ever he wants. You dont have possibility to check this. All what you can do is properly validate all of the inputs (no matter are they coming from the URL or some kind of post request)

Categories