Solved

hiding variables in URL

Posted on 2012-03-09
16
252 Views
Last Modified: 2012-03-13
While I typically use post vars on forms, I need to expose a var in a URL. I was wondering is it possible to set up the server so it does not show this - looking for a secure solution

So I want to go from

http://isomewhere.org/thePage.php?id=132

to this

http://isomewhere.org/thePage.php?
0
Comment
Question by:lvmllc
  • 5
  • 4
  • 2
  • +4
16 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37704767
silly question: does your thePage.php work as expected without the id variable
0
 

Author Comment

by:lvmllc
ID: 37705009
No.  I must at least get an ID var. Typically this is provided in a POST but because the project is not a linear set of form pages I also have code that will use a GET if the POST is null.  When this happens, the ID is displayed in the URL and this is what I want to hide.
0
 
LVL 20

Assisted Solution

by:virmaior
virmaior earned 40 total points
ID: 37705018
There's two or three ways to circumvent showing that.

One is POST as you mention.
another is to set that id in a COOKIE and then read that in the $_COOKIE array
the third is to set variables in a $_SESSION using session_start(); and then $_SESSION.

The difference between a COOKIE and SESSION is merely that in a COOKIE all of the variable values are stored on their computer. In a SESSION, only a single variable to identify the session is stored on their computer and everything is else is stored in a SESSION  on the server.

In other words, you cannot obfuscate it when using GET ... but you can altogether avoid using GET.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 50 total points
ID: 37705082
Have a look at the design pattern around the $h variable here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_27622821.html#a37704965

If your script does not update the data model, you should use a GET method request with an "exposed variable" in the URL.  Nothing is so frustrating as spending a lot of time going through complicated forms to look up an important piece of information, only to find that you cannot bookmark it.  Are you listening Fairfax county government?

If you want to avoid data harvesting with web scrapers, you can use keys that are not readily predictable.

You may also find that your programming can use $_REQUEST, thus allowing for POST method requests to be overridden by GET method requests.  If you do this, you will have a known security exposure, and you will want to give especially careful attention to the mantra, "Accept Only Known Good Values."
0
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 190 total points
ID: 37705235
greetings lvmllc, ,  I see that you think that exposing the ID and it's value in a web addy is not good for your needs. You have the example as-  http://isomewhere.org/thePage.php?id=132   and you want all of the "GET" sets to not be shown in a web addy of -  
http://isomewhere.org/thePage.php?

I have never seen and do not think it is possible to have "GET" data segments sent, without having it in the web address.  
You also say - "the ID is displayed in the URL and this is what I want to hide."

You might consider the age old method of hiding something "In Plain Sight", What I would probably do is use a web addy like -
http://isomewhere.org/thePage.php?page=c6af3b2e

'page' is a very common PHP framework GET element used in many, and would not be ordinarily associated with an ID. The ID number (or String) would be converted to HEX, and then that hex string would be reversed or mixed to "Hide" the true hex value, which is easily un-hidden in php code that uses the __GET('page') element.

But there may be other factors you do not mention, I will assume that you have already thought about using session storage.
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 37706115
Guys, most Google API's uses header fields to pass values that are not shown in URL
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields

This is a common and completely acceptable practice.  Yes having values in the URL is easier to read (and manipulate) however they can also make URL's completely unwieldy and if they do not need to be saved as bookmarks it's better to put values as header fields.

Unfortunately many believe the only way to pass information is in the body of the request or in the URL.  The cookie is actually just a specialized header field value honoured by the browser.

Most importantly, HTTPS will encrypt header fields along with the body of the message.

I believe the function header() in PHP will allow you to control them.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37706322
as the obvious have already been written and explained: anything in a GET request can not be hidden!
we can focus on the the goal to archive:  what should be hidden, why, and what threats are expected?
0
 
LVL 13

Assisted Solution

by:AielloJ
AielloJ earned 120 total points
ID: 37706962
lvmllc:

Your quest to hide the data on GET request is a good one.  Exposing database ID's open you up to script based hacking and possible exposure of your database layout.  When faced with similar situations in the past, I've written a function that encrypts the GET paramete(s) into a single string that is unencrypted in the receiving script.  ie:

?id=132

becomes

?param=12e7aab126

The decrypted string contains the parameter name ('id') and the value (132) and works for multiple parameters.

The encryption uses the date string, or the hour as its encryption key assuring the parameter only works for a limited amount of time.  It's not NSA level security, but grants some measure of protection.

Regards,

AielloJ
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:tedbilly
ID: 37707475
@ahoffman: I disagree with your assessment of hiding data in the GET request.  Variables encrypted using any encryption like AES 128 or 256 can be hidden in the HTTP header fields.  That is what many web API's do and we do at my employer.  Session and authentication fields are often hidden in GET requests using this technique.
0
 
LVL 33

Expert Comment

by:Slick812
ID: 37707583
@ tedbilly , , I can see the workability of your ID data in the headers, I use Header data alot in AJAX GET and POST, for sending and getting "version" or "dated" data sets. But you can set and get the headers in a AJAX javascript call. . . . . You say - "hidden in the HTTP header fields", , so I was wondering what method you might use for setting the headers (any header, not just an encrypted one), if you create your page with  PHP and Have a URL link like -
<a href="http://isomewhere.org/thePage.php)" >The Page'</a>
maybe? =
<a href="http://isomewhere.org/thePage.php)" setHeader="ETag=ad3fc0bb" >The Page'</a>

Can you add send Header info with a Link having the <a href=    tag? ?
Although lvmllc says - "expose a var in a URL",  I just assumed from lack of other information they were referring a    <a   link tag.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37707592
I only refered to the request line, any header is "hidden" for browser users (but can be made visible very easyly:), don't know if that is sufficient for this question ...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37707615
you cannot add headers with plain HTML (a tag)
you need to do it with XHR's setRequestHeader()
0
 

Author Comment

by:lvmllc
ID: 37710564
This is all good info.  A little more background. One of the sites I need to use this on is a 20 page survey/project. After the initial values have been entered, a user can return to the main page where the see a table of contents that allows them to go back to any one of their pages. I can work around the get issue using a cookie or session var, but as the admin, I want to be able to go to a single page of a user  - thus the ID added to the URL as a param.

Maybe this is just to insecure and I need to build a data portal that is protected by a password that once in I can type the page and user ID and it takes me to that page.
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 190 total points
ID: 37710899
@ lvmllc , , in your last post you want to have "over All" administration rights of access, For me I always (no exceptions) use some sort of "Double Protect" sign in for any "over All" administration rights of access, be cause you can get info (or set info) that may be for more than one user (maybe for data base select that can list all of the users info in Rows output).  So I would urge you to do what you say - "I need to build a data portal that is protected by a password" to have "over All" administration rights of access, you might even consider having a rotating Access Code along with a "Long" password as to have more protection for for such an important security leaks access.
0
 
LVL 33

Expert Comment

by:Slick812
ID: 37710962
Oh, you may or may not have the use of SSL, but if you do I might help to secure your admin log in with it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37712303
is it acceptable for you if the users find and change the "hidden" id?
if so, you need some kind of encryption and/or authentication
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now