Protecting my $_GET URLs?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hazel1919
Forum Newbie
Posts: 9
Joined: Wed Jan 27, 2016 10:07 am

Protecting my $_GET URLs?

Post by hazel1919 »

Hi all...

Here is a link to the work in progress: http://toucan-talk.com/classes

Username: jethro
Password: password

I have password protected a file called 'createclassroom.php'. In that file I am using a short PHP script that generates a unique URL (using the md5() hash function) for an online virtual classroom every time the button is clicked.

The URLs look like this when they are created by the script:

Code: Select all

http://toucan-talk.com/classes/classroom.php?instance=8b1a9953c4611296a827abf8c47804d7
Below is the 'createclassroom.php' snippet that

1 - generates the md5() hash
2 - stores it in the variable '$instance'
3 -concatinates it onto the header redirect all when the form submit button is pressed.

Code: Select all

<?php
session_start();

if (isset($_SESSION['id'])) {	
	if (isset($_POST['hidden'])) {
		$uid = $_SESSION['id'];
		$usname = $_SESSION['username'];
		
		// To generate the random string from a word
		$str = "Hello"; // word to hash
		$instance = md5($str); // hash stored in variable
		
		header('Location:classroom.php?instance='.$instance);
	} 
} else {
		echo 'Please login';
		die();
}
?>
In the next file called 'classroom.php' I define the variable $instance as:

Code: Select all

$instance = $_GET['instance'];
And then echo $instance inside the classroom HTML/JS where the instance is generated on their servers to display the unique classroom...

Code: Select all

    // The object to load and instance name. To create a different "session",
    // just copy the html page and change the instance name.
    var object = 'new_conference:classroom<?php echo $instance ?>';
The problem is that because I am using $_GET['instance'] which gets the "instance=xxx" from the URL that means that anyone can create a classroom (and use my resources) as long as they jiggle with the url bar, typing something like....

Code: Select all

classroom.php?instance=ANY_STRING_HERE123
So the question is how do I protect the urls from abuse?

I need to get my variable $instance (which stores that hash code) which I have created in the createclass.php and somehow transfer that variable to the user without passing it through the URL.

Any ideas?

Many thanks in advance for your thoughts on the matter.

Jethro
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Protecting my $_GET URLs?

Post by Celauran »

Couldn't you store it in a session?
hazel1919
Forum Newbie
Posts: 9
Joined: Wed Jan 27, 2016 10:07 am

Re: Protecting my $_GET URLs?

Post by hazel1919 »

Thanks for the quick response... I have tried this however I want to be able to share the classroom URL link with another user so that teacher and student can both be online at the same time.

When another user connects to the classroom using the link then $_SESSION['instance'] = $instance means nothing so it reverts to the default (in my case it is the name of the class which is 'classroom')

Below is a unique class I have created, for you the variable $instance will equal nothing because you don't share my session and if you look at the source code and search for "var object = 'new_conference:" you can see that instead of the hash string there is just the default name "classroom" which puts us in two completely different classrooms.

http://toucan-talk.com/classes/classroo ... f8c47804d7
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Protecting my $_GET URLs?

Post by Christopher »

I am a little confused, but I think what you want is for instructors to be able to create a temporary shared area on the website that other people can use to view those pages. I think you are on the right path generally with generating a token that can be put in a URL to provide this access. After that it gets a less clear.

You main question is how to protect this system from abuse. I assume you mean access by a person other than the intended student, not hacking. The short answer is that there is not an easy way, but it probably does not matter practically in this use case. Obviously limiting the time the token is active allows you to have some control. Things like email validation or IP address checking can be done, but I doubt that is really necessary.

As for you implementation, I think I would have the instructors have standard, session based login accounts. Then allow the instructors to generate a public session. Doing that would generate a URL that the instructor could send to the student. I would store data for the public session in a database table that uses the token as the key. With the token I'd store the instructor and student information for the session, the access that they have (different students may need to see different areas of the site), and the expiration data/time of the session. That makes everything very controllable. It also means that anything done using that token can only be attributed to that student (and instructor). So the token would be of limited use to another student. When a student uses a token URL (like you show above), it looks up the token record to see if it is valid. If it is, it creates a temporary login session for that user. Any activity during that session is attributed to that user.
(#10850)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Protecting my $_GET URLs?

Post by Weirdan »

If the only concern here is that value should originate from your system you could simply sign it with something like hash_hmac.
hazel1919
Forum Newbie
Posts: 9
Joined: Wed Jan 27, 2016 10:07 am

Re: Protecting my $_GET URLs?

Post by hazel1919 »

Hi there Christopher, very helpful information. That's exactly what I am trying to do, thanks for articulating it so well! :)

We only want teachers (who have accounts) to be able to generate these "shared areas" that the student can access by visiting the unique link (no logins).

The virtual classroom software is in a sort of Iframe. The instructions are to copy the source code of the classroom (which is over on their servers) and paste that source code in a folder on your own domain. Inside that source code is a Javascript function that handles the "instance" of the classroom. It looks like this...

Code: Select all

function start()
{
    // Optional username and password. If not specified here, a popup dialog
    // box will appear.
    var username = '';
    var password = '';

    // The Groupworld server to connect to. You can optionally specify the
    // port number (using the format "server:port").
    var base = 'www.groupworld.net:9175:1639';

    // The object to load and instance name. To create a different "session",
    // just copy the html page and change the instance name.
    var object = 'new_conference:xxx';

    // Flags: not currently used.
    var flags = 0;
    groupworld.startup(username, password, base, object, flags);
}
If var object = 'new_conference:xxx' is 'x' for me and 'y' for the student then we are in two different classes.

At the moment I am echoing that unique hashed string inside var object = 'new_conference:xxx' like this...

Code: Select all

var object = 'new_conference:<?php echo $instance ?>';
This means that when I create a classroom as a teacher and store the hash as $_SESSION['instance'] = $instance; it works, the variable $instance is equal to something like...

Code: Select all

8b1a9953c4611296a827abf8c47804d7
And the Javascript looks like this

Code: Select all

var object = 'new_conference:8b1a9953c4611296a827abf8c47804d7';
However if the student accesses that page then $_SESSION['instance'] = $instance; is NULL because the session is different, blank.

What has worked for me is using $_GET['instance'] = $instance; because now when the student accesses the unique classroom page, the url looks like this...

Code: Select all

classroom.php?instance=8b1a9953c4611296a827abf8c47804d7
So the variable called $_GET['instance'] is equal to '8b1a9953c4611296a827abf8c47804d7'

The student is 'GETTING' the information from the url, the problem is that this open to tampering... if the student changes the url to say '?instance=123', for him the variable $instance is equal to '123' and that gets ECHOED into the classroom source code so a new classroom is generated.

This means that the system is open to being abused simply by typing classroom.php?instance=ANYTHING_HERE

Perhaps I would need to store the hash that is generated by the teacher in the Database and then serve that hash to the student when he accesses the url? I could then run a check...

Code: Select all

if ($instance == $dbInstance){
} else {
die();
}
Not sure if this would solve my issue...
hazel1919
Forum Newbie
Posts: 9
Joined: Wed Jan 27, 2016 10:07 am

Re: Protecting my $_GET URLs?

Post by hazel1919 »

@Christopher, thinking about this a bit more you are absolutely correct. I will need to store the hash in a database and then when a visitor logs onto the unique classroom URL there is a script that checks to see if the hash in the URL matches with any hashes in the database.

The hashes would have to have an expiry time, perhaps 1 hour so that the classroom instance is destroyed... below is a user flowchart... does this look like it might be workable?
user-flow.png
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Protecting my $_GET URLs?

Post by Christopher »

Yes, that is generally what I was thinking. Using a database allows for both control and some tracking of access to the Virtual Classroom. For example, in addtion to expiration data, you could have additional access type and date control. Some examples are:

- Both available and expiration dates, so an instructor could not allow access until after a specific date as well as after an expiration date. (default start could be NOW())
- Allow student only access, or require the instructor to be present before the student can have access.
- Record the date/time that the student was actually present. It might be of interest to the instructor to get a report of accesses during a time period.

Most of this would be updating the record when the page is accessed, which is easy and reliable. Other data might need to be recorded with an Ajax call when the classroom is ended or the page is closed. You could do things like have the the classroom expire when the instructor closes or navigates away from the page, or a timeout as a failsafe just in case they forget.
(#10850)
Post Reply