Page 1 of 1

Passing a username through MD5 hash via link.

Posted: Wed Apr 05, 2006 1:24 pm
by Kainproductions
I'm currently working with a site that uses a partner site to administer tests. They basically want it so the user's username is passed through a MD5 hash (to store their username) when they click on a link to visit the partner site to take the test. I have searched all over but have had no luck find any tutorials or information on how do this quickly. Any suggestions?

Posted: Wed Apr 05, 2006 1:34 pm
by feyd
How to do what, specifically? I'm not quite understanding what you're having troubles with.

Posted: Wed Apr 05, 2006 1:41 pm
by Kainproductions
Ok here's the scenario. The user is currently logged into the site. In order for them to take a test they have to visit another website we have partnered with to give the tests. The partner site wants it so when the user clicks on the url to visit the partner to site, the user's username only is sent through the url to the partner sit so they can store the test results for the particular user. To protect the user's username they want us to pass it through a MD5 hash which would be translated back to the username on their end. How would I do this?

Posted: Wed Apr 05, 2006 1:46 pm
by feyd
when you generate the URL for the test, add the md5() to it:

Code: Select all

echo '<a href="http://example.com/test/1234/?partner=331&user=' . md5($username) . '">Take the test.</a>';

Posted: Wed Apr 05, 2006 2:16 pm
by Kainproductions
Thanks, but how would I pull the username from their login session?

Posted: Wed Apr 05, 2006 2:19 pm
by feyd
You don't, and can't, without your partner site sending you that information or the user setting it on your site.

Posted: Wed Apr 05, 2006 3:11 pm
by Ambush Commander
It looks like you've got a single-signon-ish problem. I'd suggest digitally signing anything you pass between these two sites so that it can't be tampered.

Md5 really isn't encryption... it's for hashing.

Posted: Wed Apr 05, 2006 3:21 pm
by RobertGonzalez
It won't protect the username, but can you maybe send a validation key unique to the user that resides on both sites? Then regardless of the site you are on, the username can be fetched from the database using the validation key.

Posted: Wed Apr 05, 2006 3:24 pm
by Roja
Kainproductions wrote:To protect the user's username they want us to pass it through a MD5 hash which would be translated back to the username on their end.
MD5 is a one-way hash. It cannot be translated back.

Posted: Wed Apr 05, 2006 3:27 pm
by RobertGonzalez
Another thing you can try is developing your own encode/decode function that can handle this. But the hashing algorithms that are out there right now are meant to NOT be unhased.

Posted: Mon Apr 10, 2006 1:05 pm
by Kainproductions
Can I do this alternatively with cookies? If so, how would I go about doing this? How would I grab the user's userid from their cookies and carry it over to the other site?

Posted: Mon Apr 10, 2006 1:09 pm
by feyd
Cookies set on other domains cannot be read.

Posted: Wed Apr 12, 2006 8:38 am
by printf
MyCrypt would be good for this sort of thing.


Code: Select all

/*
* encode protected link variable (sending server)
*/

function encode_key ( $str )
{
	$obj = mcrypt_create_iv ( mcrypt_get_iv_size ( MCRYPT_XTEA, MCRYPT_MODE_ECB ), MCRYPT_RAND );

	return ( bin2hex ( gzcompress ( mcrypt_encrypt ( MCRYPT_XTEA, SYS_KEY, $str, MCRYPT_MODE_ECB, $obj ), 9 ) ) );
}

// send usage

define ( 'SYS_KEY', 'my_super_secret_key' );

$str = 'some text to encrypt and protect';

$link = "<a href='http://www.test_site.com/path_to_test/script.php?user='" . encode_key ( $str ) . "'>Take Test</a>";





Code: Select all

/*
* decode protected link variable (receiving server)
*/

function decode_key ( $str )
{
	$str = @gzuncompress ( @pack ( 'H*', $str ) );

	$obj = @mcrypt_create_iv ( @mcrypt_get_iv_size ( MCRYPT_XTEA, MCRYPT_MODE_ECB ), MCRYPT_RAND );

	return ( @mcrypt_decrypt ( MCRYPT_XTEA, SYS_KEY, $str, MCRYPT_MODE_ECB, $obj ) );
}


// receiving usage

define ( 'SYS_KEY', 'my_super_secret_key' );

if ( isset ( $_GET['user'] ) )
{
	$user = trim ( decode_key ( $_GET['user'] ) );

	if ( valid_user ( $user ) === true )
	{
		// do test, valid user
	}
	else
	{
		// do error, not valid user
	}
}
pif!

Posted: Fri Apr 14, 2006 2:18 pm
by ntbd
There are ways you can use a cookie on different servers, depends how you want to output the results.
You could use a php file as a javascript source on your server and have their script collect the info from that.