5

Just trying to do some security on my website and trying to figure out the best route to secure an ID.

EXAMPLE: http://localhost/page.php?id=90 TO: http://localhost/share/22349234987sdsdf9sdf87423498asf9

I am using HTACCESS to do the share part. But would like to hide the '90' and try to discourage anyone from just adding random numbers to try and receive a different response.

Any thoughts on how to create something like this, or if something already exists that works well with implementation?

Security is a factor, so just trying to find the best solution out there...

Justin
  • 2,502
  • 7
  • 42
  • 77

3 Answers3

5

Hiding the ID is obscurity, not security.

If you want good obscurity, look at the mcrypt functions in PHP. Make sure to append a salt before encoding and decoding, otherwise it will be easy to guess the encryption/decryption.

And be aware that anyone else might still stumble across your URLs, defeating this entirely. I'd use some form of HTTP Auth over HTTPS if you want security, too.

Mark Rose
  • 971
  • 9
  • 15
  • Yes I have implemented this over a HTTPS structure, just for this sake I was wondering how to 'obscure' the ID the best way. I will look more into the ID MCrypt. Thanks – Justin Feb 09 '11 at 17:12
2

A friend of mine implemented a method of signing all the GET requests with the current session token and a secret to prevent CSRF attacks.

But what you are trying to do is to have an URL that you can share with other people.

You could create an MD5 hash that resembles the original url, and save both in the database.

Now when /share/someLongId is opened, you can check in the database where to which URL that hash belongs and can redirect the user to that URL.

Another possibility is to use GUIDs instead of auto-incrementing IDs in the first place. That way all the IDs are just longer and not that easy to guess.

Sebastian Hoitz
  • 9,343
  • 13
  • 61
  • 77
2

Depending on if you need it (the URL) to be persistent or not, you cold do either:

non-persistent: do something like this:

function getLink($id) {
   $random = md5(uniqid());
   $_SESSION['links'][$random] = $id;
   return "http://localhost/share/$random";
}
echo getLink(10);

and then:

function getTrueId($id) {
  if(isset($_SESSION['links'][$id]) {
     return $_SESSION['links'][$id];
  } else {
     die("Unknown link!");
  }

}

This will make links usable only to the current user in current session. If you need it persistent, you can generate random IDs and store them in the database along with real IDs, but this may be pointless, as the random ID can be used instead of real ID to do the same things...

StasM
  • 10,593
  • 6
  • 56
  • 103