Page 1 of 1

Protecting my $_GET URLs?

Posted: Wed Jan 27, 2016 10:19 am
by hazel1919
Hi all...

Here is a link to the work in progress: http://toucan-talk.com/classes

Username: jethro
Password: password

I have password protected a file called 'createclassroom.php'. In that file I am using a short PHP script that generates a unique URL (using the md5() hash function) for an online virtual classroom every time the button is clicked.

The URLs look like this when they are created by the script:

Code: Select all

http://toucan-talk.com/classes/classroom.php?instance=8b1a9953c4611296a827abf8c47804d7
Below is the 'createclassroom.php' snippet that

1 - generates the md5() hash
2 - stores it in the variable '$instance'
3 -concatinates it onto the header redirect all when the form submit button is pressed.

Code: Select all

<?php
session_start();

if (isset($_SESSION['id'])) {	
	if (isset($_POST['hidden'])) {
		$uid = $_SESSION['id'];
		$usname = $_SESSION['username'];
		
		// To generate the random string from a word
		$str = "Hello"; // word to hash
		$instance = md5($str); // hash stored in variable
		
		header('Location:classroom.php?instance='.$instance);
	} 
} else {
		echo 'Please login';
		die();
}
?>
In the next file called 'classroom.php' I define the variable $instance as:

Code: Select all

$instance = $_GET['instance'];
And then echo $instance inside the classroom HTML/JS where the instance is generated on their servers to display the unique classroom...

Code: Select all

    // The object to load and instance name. To create a different "session",
    // just copy the html page and change the instance name.
    var object = 'new_conference:classroom<?php echo $instance ?>';
The problem is that because I am using $_GET['instance'] which gets the "instance=xxx" from the URL that means that anyone can create a classroom (and use my resources) as long as they jiggle with the url bar, typing something like....

Code: Select all

classroom.php?instance=ANY_STRING_HERE123
So the question is how do I protect the urls from abuse?

I need to get my variable $instance (which stores that hash code) which I have created in the createclass.php and somehow transfer that variable to the user without passing it through the URL.

Any ideas?

Many thanks in advance for your thoughts on the matter.

Jethro

Re: Protecting my $_GET URLs?

Posted: Wed Jan 27, 2016 10:41 am
by Celauran
Couldn't you store it in a session?

Re: Protecting my $_GET URLs?

Posted: Wed Jan 27, 2016 11:02 am
by hazel1919
Thanks for the quick response... I have tried this however I want to be able to share the classroom URL link with another user so that teacher and student can both be online at the same time.

When another user connects to the classroom using the link then $_SESSION['instance'] = $instance means nothing so it reverts to the default (in my case it is the name of the class which is 'classroom')

Below is a unique class I have created, for you the variable $instance will equal nothing because you don't share my session and if you look at the source code and search for "var object = 'new_conference:" you can see that instead of the hash string there is just the default name "classroom" which puts us in two completely different classrooms.

http://toucan-talk.com/classes/classroo ... f8c47804d7

Re: Protecting my $_GET URLs?

Posted: Wed Jan 27, 2016 1:06 pm
by Christopher
I am a little confused, but I think what you want is for instructors to be able to create a temporary shared area on the website that other people can use to view those pages. I think you are on the right path generally with generating a token that can be put in a URL to provide this access. After that it gets a less clear.

You main question is how to protect this system from abuse. I assume you mean access by a person other than the intended student, not hacking. The short answer is that there is not an easy way, but it probably does not matter practically in this use case. Obviously limiting the time the token is active allows you to have some control. Things like email validation or IP address checking can be done, but I doubt that is really necessary.

As for you implementation, I think I would have the instructors have standard, session based login accounts. Then allow the instructors to generate a public session. Doing that would generate a URL that the instructor could send to the student. I would store data for the public session in a database table that uses the token as the key. With the token I'd store the instructor and student information for the session, the access that they have (different students may need to see different areas of the site), and the expiration data/time of the session. That makes everything very controllable. It also means that anything done using that token can only be attributed to that student (and instructor). So the token would be of limited use to another student. When a student uses a token URL (like you show above), it looks up the token record to see if it is valid. If it is, it creates a temporary login session for that user. Any activity during that session is attributed to that user.

Re: Protecting my $_GET URLs?

Posted: Wed Jan 27, 2016 6:08 pm
by Weirdan
If the only concern here is that value should originate from your system you could simply sign it with something like hash_hmac.

Re: Protecting my $_GET URLs?

Posted: Thu Jan 28, 2016 2:55 am
by hazel1919
Hi there Christopher, very helpful information. That's exactly what I am trying to do, thanks for articulating it so well! :)

We only want teachers (who have accounts) to be able to generate these "shared areas" that the student can access by visiting the unique link (no logins).

The virtual classroom software is in a sort of Iframe. The instructions are to copy the source code of the classroom (which is over on their servers) and paste that source code in a folder on your own domain. Inside that source code is a Javascript function that handles the "instance" of the classroom. It looks like this...

Code: Select all

function start()
{
    // Optional username and password. If not specified here, a popup dialog
    // box will appear.
    var username = '';
    var password = '';

    // The Groupworld server to connect to. You can optionally specify the
    // port number (using the format "server:port").
    var base = 'www.groupworld.net:9175:1639';

    // The object to load and instance name. To create a different "session",
    // just copy the html page and change the instance name.
    var object = 'new_conference:xxx';

    // Flags: not currently used.
    var flags = 0;
    groupworld.startup(username, password, base, object, flags);
}
If var object = 'new_conference:xxx' is 'x' for me and 'y' for the student then we are in two different classes.

At the moment I am echoing that unique hashed string inside var object = 'new_conference:xxx' like this...

Code: Select all

var object = 'new_conference:<?php echo $instance ?>';
This means that when I create a classroom as a teacher and store the hash as $_SESSION['instance'] = $instance; it works, the variable $instance is equal to something like...

Code: Select all

8b1a9953c4611296a827abf8c47804d7
And the Javascript looks like this

Code: Select all

var object = 'new_conference:8b1a9953c4611296a827abf8c47804d7';
However if the student accesses that page then $_SESSION['instance'] = $instance; is NULL because the session is different, blank.

What has worked for me is using $_GET['instance'] = $instance; because now when the student accesses the unique classroom page, the url looks like this...

Code: Select all

classroom.php?instance=8b1a9953c4611296a827abf8c47804d7
So the variable called $_GET['instance'] is equal to '8b1a9953c4611296a827abf8c47804d7'

The student is 'GETTING' the information from the url, the problem is that this open to tampering... if the student changes the url to say '?instance=123', for him the variable $instance is equal to '123' and that gets ECHOED into the classroom source code so a new classroom is generated.

This means that the system is open to being abused simply by typing classroom.php?instance=ANYTHING_HERE

Perhaps I would need to store the hash that is generated by the teacher in the Database and then serve that hash to the student when he accesses the url? I could then run a check...

Code: Select all

if ($instance == $dbInstance){
} else {
die();
}
Not sure if this would solve my issue...

Re: Protecting my $_GET URLs?

Posted: Thu Jan 28, 2016 9:05 am
by hazel1919
@Christopher, thinking about this a bit more you are absolutely correct. I will need to store the hash in a database and then when a visitor logs onto the unique classroom URL there is a script that checks to see if the hash in the URL matches with any hashes in the database.

The hashes would have to have an expiry time, perhaps 1 hour so that the classroom instance is destroyed... below is a user flowchart... does this look like it might be workable?
user-flow.png

Re: Protecting my $_GET URLs?

Posted: Thu Jan 28, 2016 1:29 pm
by Christopher
Yes, that is generally what I was thinking. Using a database allows for both control and some tracking of access to the Virtual Classroom. For example, in addtion to expiration data, you could have additional access type and date control. Some examples are:

- Both available and expiration dates, so an instructor could not allow access until after a specific date as well as after an expiration date. (default start could be NOW())
- Allow student only access, or require the instructor to be present before the student can have access.
- Record the date/time that the student was actually present. It might be of interest to the instructor to get a report of accesses during a time period.

Most of this would be updating the record when the page is accessed, which is easy and reliable. Other data might need to be recorded with an Ajax call when the classroom is ended or the page is closed. You could do things like have the the classroom expire when the instructor closes or navigates away from the page, or a timeout as a failsafe just in case they forget.