Data I can encode in QR code - php

I have an index.php page and a dashboard.php page. After entering credentials, user logs into the dashboard.php.
Now i want to display a QR code which can be used by the user to directly log into dashboard.php using his phone.
This can be achieved if I somehow encode the session values in the QR code. But is it possible to do so? I have only managed to store the url of the page to index.php

You need to use QRcode class to achieve what you want..
may be below links can help you out..
http://qrcodescript.com/
http://www.sitepoint.com/generate-qr-codes-in-php/
http://phpqrcode.sourceforge.net/

If you're showing the QR to a user that has logged in, you can use the session hash and encode it in the QR code you show to the user as a GET parameter (site.com/qrlogin.php?code=123456). The session data needs to be on the server (so no cookies, no local storage, etc...). This is used if you want the user to log in using the phone while he's also logged in from a computer. Pretty harmless.
However, if you want a more permanent solution, there is nothing you can do that won't pose a security threat (the app has no way of knowing who scanned the code).

Related

How to avoid a login bypass in my webpage by entering URL

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.
I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.
This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.
My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.
This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.
One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.
As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.
For me I added this code in the start of webpage that should be only accessible of logging in.
<?php
if(isset($_SESSION["username"])) {
//Code to run if logged in
} else {
//This will return the user to login page if the user is not logged in
header("Location: login.php");
}
?>
This will protect the exclusive pages for user page even if the url is manually typed.

Automatic login in net2ftp

I have a ftp client (net2ftp) embeded to a html page to upload files.
Now this file uploader comes with a login sistem. There is a way to set something like an auto login?
Let me set this more clearly, when my user comes to the net2ftp login page he/she is already logged in my main page, so its pointless for him/her to log again. So I want to find a way to make the net2ftp log automatically with the user's credentials.
I apologize if this text seems a bit confusing, english is not my native language.
Thanks!
Ok, I finally solve it. It was pretty easy actually.
For the autologin in net2ftp you need to go to 'net2ftp/files_to_upload/includes/registerglobals.inc.php', you'll see there is an array called net2ftp_globals, as its name sugests, it contains all the global vars, including the server and user name, languaje and skin options, etc.
You need to set the following vars this way:
$net2ftp_globals["ftpserver"] = [your ftp server name]
$net2ftp_globals["username"] = [your username]
$net2ftp_globals["password_encrypted"] = [your password]
then, in the same class, you need to change this vars
$net2ftp_globals["state"] = "browse"
$net2ftp_globals["state2"] = "main"
This way, net2ftp is going to be redirected to contents table and will skip the login page.
Keep in mind this only works is you have a ftp configuration for user, if you have users with more than one ftp server this is not a good solution for you.
There is actually an easier way to do this as of 2018(and more reliable I think).
On version 1.1 of net2ftp there is an option to bookmark a directory which creates a direct link to any directory you wish, automatically logs the user in and bypasses the login page. The link comes in this format:
https://example.com/admin/ftp/index.php?protocol=FTP&ftpserver=ftp.localhost&ftpserverport=21&sshfingerprint=&username=[username]&password_encrypted=[encrypted_password]&language=en&skin=shinra&ftpmode=automatic&passivemode=no&viewmode=list&sort=&sortorder=&state=browse&state2=main&directory=%2Fpublic_html%&entry=
You can then put an iframe on your page like this:
<iframe src="admin/ftp/index.php?[The rest of the link is the same as above]></iframe>
So let me get this straight, the user is already logged in onto your site, but will then need to log in into net2ftp?
Well, if your site is servicing this net2ftp service, and their login credentials for net2ftp are the same as your site, why don't you just alter the embed form code to have their credentials echo'd into the login fields? Does that work, or are you wanting to avoid the login feature entirely?
Perhaps submitting a link to your site would help.

Getting contents of referring page with php

I'm trying to enable screenshots of the page a logged in user is currently on. I've placed a button that needs to:
read in the content of the referring page
save it to a file
render that file as a PDF
redirect back to the referring page
The problem I've run into is that users are logged in and on pages that are very specific to them. I can't grab the page via CURL with generic credentials because the screenshot won't be applicable, and I don't have the user's credentials.
How can I read in the contents of the current/referrering page with PHP without access to the users credentials? I've tried file_get_contents which was not working either.
It sounds like your mechanism is going to be faulty anyway: you're not saving the page as it looks to them, but rather saving the page as it looks to CURL at some point in the future.
If you want an accurate solution, then you need to save a copy of the rendered HTML somewhere server-side as you send it out (you can use PHP's output buffering to capture it) and mark the file you save with some sort of key that goes to the user. If the user clicks the button, it sends that key to the server which you use to look up the saved HTML file, and process it as desired.
Significantly less efficient, of course, but there you go. Alternately, you can save just the parameters processed in the page such that you can re-render it with PHP if required. Still no curl involved, but less saving going on. Obviously you don't need to keep this cache information long; just a few minutes, so storing it in ram (e.g. memcache) would be sufficient.
I don't believe this can be accomplished ethically without obtaining the user's credentials.

Hiding actual link in hyperlink

I have
echo <a href=\"javascript:;\" onClick=\"window.open('". $link ."','no','scrollbars=yes,width=550,height=400')\" >View report</a>
$link contains sensitive information, so I'm wondering if there is a simple way to prevent this link showing up explicitly when you "view source code" on the browser. Any alternative to href would be fine. I just need to give the user an option to click and see his processing result after he submits some data. I would like to avoid having auto popups as soon as the processing is submitted.
UPDATE: so the $link is a GET URL that includes a user ID and password.. It's internal right now so it's fine, but I'm thinking of putting this on our online server in the future. I'm very much a novice with PHP, so this is probably not in the near future as I don't know much about security features that need to be implemented for a live site on the Internet. Right now, it seems that utilizing a database would be the best way to go. Correct me if I'm wrong, please, and thanks for all of the support!
If the user has to navigate to the link, there is no way to actually hide the information. You should rethink how your process works so sensitive information is not displayed in the link.
Perhaps you can store the information in a database table and the link would just use the id of the row that has the information.
Simply put: No. If you send me to a URL, I will be able to see it using some sort of tool. Wireshark, Fiddler, etc. Consider using a different link structure.
If the user already owns a session, this is an option:
If you render a page and need to protect this given sample secret URL
http://www.MyHost.com/?what?secret&id=23232
save the URL in the user's session and associate a hash value with the secret URL.
Instead of sending the URL to the result HTML-page, insert another URL, e.g.
http://www.MyHost.com/?continueWith=<hashValue>
If this URL gets called, check the user's session and retrieve and delete the secret URL. Then continue to evaluate, as if the user had called the secret URL.
This way, no parameter of the original secret URL ever reaches the user's browser.
To refine the schema, attach a lifetime to the URL saved in the session. If a request comes later as the end of life, return an error.
If you protect all URL in such a way, users won't be able to call arbitrary URLs, since all acceptable URLs are those inside their sessions. Thus, a user will even not be able to change parameters of less secret URLs.
How is $link generated in the first place? If it is sensitive, this implies that the user has already been authenticated somehow. Thus, the information in $link can be stored in the session where it's safe
Save all the information in your PHP session (or preferably the session system your PHP framework uses) and then just send some kind of non-db-associated identifier in the link so that the code knows what you want to do next.
For example you could have a link to "http://www.yourdomain.com/sec/special_action/4" with "sec" meaning secure, "special_action" being the name of the action to take, and "4" being the action id reference.
So lets say you have to have it associated to their social security number. Then you would in your back end use a salted hash to encrypt the SSN and save it to the session data. You then append it to the end of your session array and get an array count. If it returns 5 then you know that the encrypted SSN is saved in index 4 (since PHP uses 0 based indexing). So you send along that index as part of the link to confuse things even more. Heck you can even salt and hash the index if you want.
The user clicks on the link, the code finds the index, grabs the encrypted content, decrypts it, then uses it. Easy and secure.

Hide pdf to non registered users

I've hit a dead end with this code I'm working on. I have a website where users can register and will be able to view certain pdfs when they are logged in. My question is though, how do I hide this file to make sure that only those currently logged in can subscribe. I keep track of my users with a MySQL database and have been using PHP for all the server side coding. Ideally, the solution won't involve the user having to sign in again or anything like that. I'm not necessarily looking for code (though its always appreciated :D), but any bump in the right direction would be great.
Thanks for any help you guys can offer.
if(isset($_COOKIE['login']))
{
header('Content-Type', 'application/pdf');
readfile('secret/books.pdf');
exit();
}
else
{
include('login.php');
}
The only way to secure the URL to the user is to require a login, which is something you don't want to do. (Obviously as long as the session is open via a cookie or whatever you are using, the person could access it.)
But keep in mind that once a person as the link to the PDF, they can download it and give it to somebody else. So in my opinion, you should simply focus on making it impossible for the average person to guess the URL.
In other words, simply putting the PDF on a URL that is not guessable is sufficient security given that a person can easily duplicate the PDF.
That said, if you want to lock it down a bit, you could give each user his own unique URL for the PDF. Thus if somebody does copy the URL around, you know who did it. Also, you could have URLs expire after a certain time.
That URL could be stored in the database as a url -> pdf lookup. No authentication would be required to access it.
Two thoughts on that:
1) store your PDF outside of your public readable WWW folder and include it to an authenticated user like ayush proposed
2) protect the file with a username and password using htaccess and access it with curl. cURL can provide the correct credentials without making the user re-authenticate.

Categories