Page 1 of 1

Is $_GET secure?

Posted: Tue Jun 10, 2008 2:50 pm
by Arocity
So I'm doing some basic ajax stuff, and I had a thought that perplexed me a little. What steps can I take to prevent somebody from simply checkin' source code for the xternal ajax script (i.e. someAjaxRequest.open("GET", "somescript.php" + SomeQueryString, true)) and updating somebody else's info? For example, one thing I changed in my script(s) was to use my session variables. Before, I was sending a uid in the javascript and then sending that to "somescript.php". Instead, I'm keeping all identifications "internal". The only other thing I could think about was creating arrays of valid parameters and validating against that array.

Maybe I'm just thinkin too hard...

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 2:55 pm
by superdezign
Using anything less than a hashed password or unique randomly generated identification code is too little for client-side programming, security-wise. You have to use methods of identifying users by something that cannot be easily replicated and something that is not available for public display in any way.

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:08 pm
by Mordred
Wrong question, I think.
The method to pass data has nothing to do with the authorization logic in your script, and it being an AJAX handler as well. Validate the input to ensure that the request comes from the right user. Post some code if you have doubts.

@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:13 pm
by superdezign
Mordred wrote:@superdezign: I don't follow what you mean. The problem here doesn't seem to be authentication (who you are) but authorization (do you have the rights to change $_GET['id']'s info).
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:21 pm
by Arocity
I see what you mean Mordred. That's pretty much what I'm referring to. I'm actually authenticating against Windows AD (ugh). That way there won't be any duplicate users. So if they successfully authenticate, I just set the session variable "em_id" to the username they used to login.

Code: Select all

 
if ($_POST["adUser"] != "" && $_POST["adPassword"] != "")
{
    #Line 203 
    #D:\Portal\ASF\Apache\conf\httpd.conf.LDAP
    
    $adServer = "www.ihateiis.com";
    
    $p_adUser       = addslashes($_POST["adUser"]);
    $p_adPassword   = addslashes($_POST["adPassword"]);
    
    $adUser = $p_adUser;
    
    $adPassword = $p_adPassword;
    
    // Connect to the directory server.
    $ad = ldap_connect("ldap://" . $adServer) 
    or die("Couldn't connect to AD!");
    
    ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
 
    if ($ad)
    {
        $bd = ldap_bind($ad, $adUser, $adPassword);     // Bind to the directory server.
 
    if ($bd)
    {
        $_SESSION["em_id"] = $p_adUser;         //Let's save the username
        $em_id = $_SESSION["em_id"];
 
        $_SESSION["logged_in"] = 1;
        $format = "Y-m-d H:i:s";
        $timestamp = date("$format");
        
 
        $db->query("UPDATE employees SET last_login = '$timestamp' WHERE em_id = '$em_id'");
        echo "<br /><br />You are now logged in as <b>$p_adUser</b>.";
    }
        else
        {
            $msg = "Your login information in invalid. Try again.<br /><br />";
            show_form("f_login",$msg);
        }
    
    ldap_unbind($ad);   
    }
}
 

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:25 pm
by Arocity
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:30 pm
by Mordred
The login looks okay (but I don't know anything about ldap and the possible dangers, so don't take my oppinion on that), but I thought your problem was with the ajax handler, rather show that one.

Re: Is $_GET secure?

Posted: Tue Jun 10, 2008 3:31 pm
by superdezign
Arocity wrote:So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
Right. Except, it'd be better to use an ID that wouldn't remain static from one login to another, sort of like "Remember Me" functions work in systems like phpBB.

Re: Is $_GET secure?

Posted: Tue Jun 24, 2008 9:09 pm
by LBmtb
Arocity wrote:
Right, I was speaking in terms of having some way of proving that the current user is the user that they say they are, to avoid successful client-side tampering.
So in reference to the hashed passwords, were you suggesting storing something like that as a session var? And then I guess updating the database w/ that key? That way authenticating against the DB since a hacker wouldn't have access to that?
If you do that, make sure to also protect against session based attacks (hijacking and fixation).