Passing a username through MD5 hash via link.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Kainproductions
Forum Newbie
Posts: 4
Joined: Wed Apr 05, 2006 1:22 pm

Passing a username through MD5 hash via link.

Post by Kainproductions »

I'm currently working with a site that uses a partner site to administer tests. They basically want it so the user's username is passed through a MD5 hash (to store their username) when they click on a link to visit the partner site to take the test. I have searched all over but have had no luck find any tutorials or information on how do this quickly. Any suggestions?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

How to do what, specifically? I'm not quite understanding what you're having troubles with.
Kainproductions
Forum Newbie
Posts: 4
Joined: Wed Apr 05, 2006 1:22 pm

Post by Kainproductions »

Ok here's the scenario. The user is currently logged into the site. In order for them to take a test they have to visit another website we have partnered with to give the tests. The partner site wants it so when the user clicks on the url to visit the partner to site, the user's username only is sent through the url to the partner sit so they can store the test results for the particular user. To protect the user's username they want us to pass it through a MD5 hash which would be translated back to the username on their end. How would I do this?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

when you generate the URL for the test, add the md5() to it:

Code: Select all

echo '<a href="http://example.com/test/1234/?partner=331&user=' . md5($username) . '">Take the test.</a>';
Kainproductions
Forum Newbie
Posts: 4
Joined: Wed Apr 05, 2006 1:22 pm

Post by Kainproductions »

Thanks, but how would I pull the username from their login session?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You don't, and can't, without your partner site sending you that information or the user setting it on your site.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It looks like you've got a single-signon-ish problem. I'd suggest digitally signing anything you pass between these two sites so that it can't be tampered.

Md5 really isn't encryption... it's for hashing.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

It won't protect the username, but can you maybe send a validation key unique to the user that resides on both sites? Then regardless of the site you are on, the username can be fetched from the database using the validation key.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Kainproductions wrote:To protect the user's username they want us to pass it through a MD5 hash which would be translated back to the username on their end.
MD5 is a one-way hash. It cannot be translated back.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Another thing you can try is developing your own encode/decode function that can handle this. But the hashing algorithms that are out there right now are meant to NOT be unhased.
Kainproductions
Forum Newbie
Posts: 4
Joined: Wed Apr 05, 2006 1:22 pm

Post by Kainproductions »

Can I do this alternatively with cookies? If so, how would I go about doing this? How would I grab the user's userid from their cookies and carry it over to the other site?
Last edited by Kainproductions on Mon Apr 10, 2006 1:12 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Cookies set on other domains cannot be read.
printf
Forum Contributor
Posts: 173
Joined: Wed Jan 12, 2005 5:24 pm

Post by printf »

MyCrypt would be good for this sort of thing.


Code: Select all

/*
* encode protected link variable (sending server)
*/

function encode_key ( $str )
{
	$obj = mcrypt_create_iv ( mcrypt_get_iv_size ( MCRYPT_XTEA, MCRYPT_MODE_ECB ), MCRYPT_RAND );

	return ( bin2hex ( gzcompress ( mcrypt_encrypt ( MCRYPT_XTEA, SYS_KEY, $str, MCRYPT_MODE_ECB, $obj ), 9 ) ) );
}

// send usage

define ( 'SYS_KEY', 'my_super_secret_key' );

$str = 'some text to encrypt and protect';

$link = "<a href='http://www.test_site.com/path_to_test/script.php?user='" . encode_key ( $str ) . "'>Take Test</a>";





Code: Select all

/*
* decode protected link variable (receiving server)
*/

function decode_key ( $str )
{
	$str = @gzuncompress ( @pack ( 'H*', $str ) );

	$obj = @mcrypt_create_iv ( @mcrypt_get_iv_size ( MCRYPT_XTEA, MCRYPT_MODE_ECB ), MCRYPT_RAND );

	return ( @mcrypt_decrypt ( MCRYPT_XTEA, SYS_KEY, $str, MCRYPT_MODE_ECB, $obj ) );
}


// receiving usage

define ( 'SYS_KEY', 'my_super_secret_key' );

if ( isset ( $_GET['user'] ) )
{
	$user = trim ( decode_key ( $_GET['user'] ) );

	if ( valid_user ( $user ) === true )
	{
		// do test, valid user
	}
	else
	{
		// do error, not valid user
	}
}
pif!
ntbd
Forum Newbie
Posts: 21
Joined: Wed Apr 12, 2006 6:42 am

Post by ntbd »

There are ways you can use a cookie on different servers, depends how you want to output the results.
You could use a php file as a javascript source on your server and have their script collect the info from that.
Post Reply