What I'm trying to do is creating a page to show my accounts balance. I got a bit sick of logging into my bank accounts using username and password since I've got two different with (luckily) very long/twisted password. So I want to code this self-login and then show the balance. That's it. No money transfer, nor payments.. Just the balance! But I thought it was a bit easier.. I mean, I know it's a bank website so it must be secure, but if I login remotely (let's say I'm able to make it) giving you my credentials, why don't you work? Why you just work on your own server? I know ssl, https, verisign, etc. But do you think there's any way I can do this? Of course there are no API's for third party developers, I have to find a way myself.
So this is what I did: I tried to log into the first bank account "remotely" (let's call bank.com the bank website). So if the page bank.com/login has a form with username and password, I made a localhost/login page that looks exactly the same. In fact, the action is the same as well, so after logging in I will be redirected anyway to my bank account (i.e. bank.com/dashboard). Simple? Not really.. There's a hidden field, a token, which changes every x time. So apart from what I did already, I should be able to add to my form this field as well. I should simulate this process from localhost: go to the bank website, enter the login area, browse the form, find the hidden field (token) and take note of it. Then add it to my localhost form and, eventually, log in from there. Well, the login area on bank.com is under https protocol so I can't access its content. My plan epically failed. Or not? I tried using file_get_contents to flush the bank.com/login content into localhost/login page, but it doesn't work. It looks like it's protected (verisign) cause the page is loaded completely, but part of its content is not available as it shows Error 500: java.lang.NullPointerException. I guess it's part of the verisign handshake, so the content is available just after this process. Do you have any idea? Should I give up instead? :)
Related
Well, I have a WordPress site. Today when I checked the Google traffic reports, I caught a backlink from a different URL. After I checked the URL, I was shocked: somebody copied my web site!
I think "it" used curl or file_get_contents(). And after getting page, it changed my URL to its URL.
Already, Google created indexes of this URL.
How can I block this access from this "bot"?
Note: I checked db access and file permissions, it is fine.
When I closed server, clone site closed.
When I add publish new content, clone site also does it.
When I change theme file codes, clone site changes.
I don't have any experience with wordpress, but, it seems like that this 'bot' copied your front-end and then using your API to function in the same way.
This below is guessing on what the other site's owner is trying to do:
If you have a login site, then I think the copy site's owner tries to phishing on the login data, then try to use it to get sensitive information from other sites with the same login data - since a lot of people has the same user-password pairs on every site.
If this is the case, the first thing you should do is to make sure that this site wont show up in any search engines.
In the same situation I would try to figure out what is the IP/domain of the copy site and then put set up firewall rules to block all of the request from there. With this you can't really prevent the users to enter their login info to that site, but hacking is done by programmers, so if you are lucky then your clients/users data wont be saved in the phishing database. This only happens if the phishing layer is putting the user-pwd into the database only if the login is successful. But it's more likely that there is a successful and IP field in the phishing DB too, so the spams can be filtered.
If the "phisher" is not saving IP field then the last thing you can do is to ruin the phishing database. For this you need to get the IP of the other site, and filter your incoming request. If the sender of the request has the other site's IP address, then instead of checking the login permission you should just send back a similar response, that you used to send, when one successfully logs in to your site. With this each successful and unsuccessful login will look the same in the phishing database. This still belongs to the defense category. Spamming the phishing database counts as attacking, so I don't recommend that.
By default the user's should be able to realize if their data is being phished, but as we know it's not used to happen, however you can't help much on the realization skills.
If you don't have any login page, then the situations is not that bad.
Copying a website is illegal, so you can do a lot more
We have a donation button on our web site that goes to PayPal. The donation gets processed, the user clicks a button on the PayPal success page and is then redirected back to a PHP page with a list of maps to download. I want to limit who can access this page to users coming from PayPal or users coming from our site. I have tried various .htaccess rules and they don't seem to work with users coming from PayPal http_referrer wise. And the referring IP always ends up being my IP address at home. I also tried coding the PHP redirect target form such that it with only renders the page if they are coming from paypal.com or from our site. Otherwise, they get an error page. So can anyone please suggest a better way to restrict access to the redirect page after the PayPal success page? Thanks.
There are many ways to go about it. This is something I have used in the past.
Firstly, you want to give access to users who have made a payment (or donated). Depending on whether you want to give users (who have paid) a one time access or allow multiple visits even after they log out, you can check whether this user, in this session, made a payment or not.
Here's one way to achieve it:
// PAYMENT CONFIRMATION
$payment_success="FALSE"; // DEFAULT to payment failed
$payment=mysql_real_escape_string($_GET['payment']);
$ab=$_REQUEST['ab'];
$tx=$_REQUEST['tx'];
$st=$_REQUEST['st'];
$amt=$_REQUEST['amt'];
if(($tx!="") AND ($st=="Completed") AND ($amt!="")){
$payment_success="TRUE";
}else{
header("location: index.php"); // or wherever you want to send users who haven't paid.
}
If you want to give access to users who have paid even after they have logged out, then you need to either set a cookie on their browser using setcookie(); or track their IP [$_SERVER\['REMOTE_ADDR'\]][2]and add to your DB so every time a user comes to your page, you can run a check to see if they are in your safe list or not.
Good luck
I ended up just adding a static token to the end of the PayPal redirect URL back to my site. I test the token within the target PHP page and let them access the target maps page if the token is correct. And I give them an error screen if it is not. This is a short term fix as I will have to manually change the token every now and then to keep people from bookmarking the page and downloading our maps more than once.
I'm going to experiment with either generating random buttons with different tokens or seeing if PayPal has something that they can send from their end that I can verify.
Thanks for the reply.
I have seen MANY questions on this before online in many places, however, out of about 30 forums and whatnot, NONE of them have had the solution I need, and that includes stackoverflow. If anyone could help me find a reliable solution, it would be greatly appreciated, so thanks in advance!
I'm going to explain my site and situation with as much detail as possible in order to help any who want to help answer my questions. Here is my situation:
I have a website and I use PHP and MySQL. My website is a "private" organization site. In order to allow people access to the site, I send new members of our organization and invite code. The user then visits the website, and the index.php file simply contains a form for logging in as well as a link to the registration pages. New members click the "Register Here" link to begin registration. The first registration page asks for the user's last name and invite code which are checked against a database to make sure that person is on the list and has not yet registered. If they pass the check, they are taken to the next page in which they enter required information (username & password, email address, etc.) as well as some optional information (phone, bio, etc.). If the user creates a valid username and password and has all required fields filled out, their information is stored in a database. Passwords are all salted and hashed properly and securely, so there is no problem there, and the whole registration process works as it should. After registering, the user is taken back to index.php where they can now log into using the username and password they just created. This works as well; when the user logs in, their username and password are checked against the database, and if successful, the user is logged in. When the user is logged in, an ONLINE value in the database is set from False to True. The user is now logged in and can use the site as it is intended. On my site, there is a column that lists users that are currently online (based on the ONLINE value from the database). When the user clicks the "Log Out" button which is located on every page of the site, the logout.php script is run, ending the session and setting the ONLINE value back to False. This all works fine and dandy, however, the problem comes when the user closes the browser without logging out first. This is where I have seen many different "solutions" various places on the internet. I am going to explain why they won't work and why I need a better solution.
The answers I see most often involve some sort of session timeout or destroying sessions, which is irrelevant because of the fact that the session already does, in fact, end when the user closes the browser, but that has no effect on telling other users whether or not that person is currently online. When the session ends, the database won't be updated, which causes a problem due to the fact that a user can only be logged in from a single instance. If a user attempts to log in while their ONLINE value is already set to TRUE, they aren't allowed to log in.
I have also seen suggestions of using a "Last Seen" value instead of an online value, and if a user hasn't had any activity within the past x amount of minutes, log the user out. This won't work, however, for two reasons. 1) That script still has to be running somewhere in order for that to work, meaning another user must be logged in for that to work. That basically means that, if using this method, if a user closes their browser or if they loose connection, they won't be able to log back in until another user logs in. With my organization being a small, locally based organization as it is, there are likely to be many times in which there are no users online. Also, even if another user is logged in, the user whose connection was lost still won't be able to log back in until after x amount of minutes has passed, so if the user accidentally closed their browser and wanted to log back in immediately, they simply wouldn't be able to.
A less frequent solution I came across involved using the onBeforeUnload JavaScript function, but those most definitely will not work due to the fact that those would trigger any time a user clicked on a link or on the "Back" and "Forward" buttons. Also, if the user has JavaScript disabled in their browser, this will not work at all.
The last thing I have seen involves while loops and the connection_aborted function, and this is the only one that seems like it could work, yet I have not seen a very clear description of how this should work, and after spending months experimenting with it, I still have not come up with a reliable solution.
In many forums, I have seen people say that "it's not possible," but that can't be the case considering there are sites that do it somehow. I have tested and experimented with this on several sites. On a site that has users such as Facebook or any forum website, there is a list of "online" users, and in the case that a user closed their browser, their name would no longer appear on the list, so it is possible, even if it can only be achieved through some obscure method. So, if anyone knows of a solution, I would greatly appreciate if you could share some of your wisdom on this subject!
Try creating a Heartbeat mechanism in javascript.
this method would start sending an ajax call to your webmethod on timely basis use.
setInterval(function(){
sendPulse();
},30000);
sendPulse(){
var varUserID = userID;//any unique user identifier that can be found on server side
$.ajax({
url: "Default.php/updateUserStatus",
UserID: varUserID,
type: "POST",
dataType: "json",
contentType: "application/json; charset=utf-8",
success: function (mydata) {
//alert("pulse sent");
}
});
}
On server side, you must have a method with same name and case sensitive parameter. the should be static and marked as webmethod. in this method save the current time for the user. you should have a mechanism to know what users have very old pulse, do this check when a user tries to do something or performs any operation. I have implemented this approach and works very well.
That's the answer: persistent connection between client and server. For this, you will need a TCP connection, like websockets nowadays, or a flash old duplex connection. From here on, TCP takes care of noticing you when someone connects or disconnects. What you got to do is a websocket server (for example) who just traks connections (push and pop from an array), and also a way to respond to a "get_users_online" message. You can access your user's session (read only) via the websocket server, and then see if the user is logged-in (and in this way, you can store his nickname in session, access further from websocket server), see if he is admin (session->is_admin).
Pretty simple, I would say.
Here is the library I've been using: http://socketo.me/ . It uses a library for decoding symfony2 sessions, but for simple applications, you don't need decoding (symfony2 applications encodes sessions, so the websocket server has to decode them).
Big note: Sessions has to be stored externally (not in file system /tmp) like a ORM or NoSql.
Either way, escuse me, but I have to say that that the "Last time" seen is super okey. Most of the sites rely on this. You understood something wrong, you don't need to have a living server for checking "Last time" always, when you request /admin.php?users_online=1 , you make a query where "Last seen > NOW() - 5 minutes" (won't work written like that), so you can even get rid of the "ONLINE" "OFFLINE" field.
I suggest using a websocket approach, it's fun. :)
Good luck!
I've been asked to leave passwords and user names aside since most of the site visitors are stop-buy-come-back-several-months-later-kind of visitors, and the motivation was somewhat along the lines "they would forget there passwords any way and have to request new ones".
I suspect there is no realistic way for me to do this thinking IP:s probably change and browsers get updated, cookies are cleared and so forth.
Or do I have any options?
(not that I'm looking for code but rather concepts and pseudo but the language in the project is php/js coupled with an apache server)
Use OpenID.
Let Facebook, Google, Wordpress, or even Stack Exchange handle the authentication for you, and people wont have to remember another password.
Alternatively:
Many users understand the "forgot my password; check my email" routine by now, so why not just short-cut it by having them input their email and send them a login url with a randomly generated token to log in with.
Once they're logged in, keep them logged in for as long as you deem secure.
We do the following in our e-commerce solution:
We use email as a unique identifier.
When a customer makes a purchase using the same email, the order will be attached to their existing user. You don't however get any address details or stuff like that, but have to enter it manually.
The customer will receive an email with a generated password if it is a first time buy. If it is a second time buy, they will just be instructed to log in. This can however be combined with a url and a login token. Likewise for logging into the site, you could just have them enter an email to receieve a login url token.
Combine this with a long living cookie and/or the browsers datastorage to remember the customers details (address and stuff like that).
Another option would be to have them entering something about themselves that they would always know, but others wouldn't. However it is hard to have an internationally workable solution for this.
You could use so-called supercookies, which is offline storage on the client side. Either through html5 offline storage, or plugin like flash to restore deleted cookies. Although, these cookies is likely to be banned at some point, since they're mostly hidden for the user, and very hard to get rid of. (Not recommending this approach, just saying it's possible)
Authentication credentials break down to three options;
Something you know - passwords
Something you have - physical keys, cards
Something you are - iris, retinal and other biometrics
The best you can do is use cookies I think. Or...I guess you could have them download a file, and upload that file as their access credential - same idea as a cookie but unlikely to be deleted. You would have to think carefully about what to put into the file however - their user id isn't enough, as it would be easily hacked. A random long string would do, one that is saved into the database on their account. Nothing that can be predicted, and nothing that can be used to guess a different account's credential.
A couple of options come to mind:
Use a persistent cookie, but only do this in conjunction with SSL (so it simply can't be sniffed off the wire)
Another option is OpenID like you use here - therefore vistors can use an account they use often to log into your site.
It seems to me that your only option is giving them a forever cookie and hoping it doesn't get purged between visits.
You can read about them here.
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
Don't want the username or password, only interested in the returned token (http://www.othersite.com/?token=blahblahblah), which will then be passed as a querystring to a page on my domain (http://www.mydomani.com/loadtoken.php?token=blahblahblah).
Currently, a user has to do this in a separate page, copy and paste the token into my page, since these tokens only have a short life, it's somewhat irritating practice, and if it can be done behind the scenes by the site instead it would make it simpler for everyone.
Reading around on iframes, divs and ajax suggest this is not possible due to security policies, cross site scripting, etc.
Is it possible? What should I be looking for or concentrating on, or can you give some examples.
Thanks for your help.
Edit: Should have said, I understand that it's possible to take the username and password and do a POST behind the scenes, but I really want to avoid making the users give my site their login details to another site, for obvious reasons.
The simplest method is to present the login form on your own site. The form posts to your server, and the handling script then does a CURL request to do its own request to the other server. This sends the login response (which presumably contains that token) to your server.
However, if this token takes the form of a cookie, and the cookie's required for the user to do further operations on their own on this other site, then this won't work. There is absolutely no way for your server to accept the cookie on the user's behalf, then send the cookie to the user in such a way that it appears to have been set by the other server.
The easiest way would be for you to post that form's information to the remote host and have that site send the token to a callback script on your own host.
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
You can't do that
What should I be looking for
OAuth / XAuth (which will require the co-operation of the site you are trying to log in to)