Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encrypt/Encoding an ID in URL string

Just trying to do some security on my website and trying to figure out the best route to secure an ID.

EXAMPLE: http://localhost/page.php?id=90 TO: http://localhost/share/22349234987sdsdf9sdf87423498asf9

I am using HTACCESS to do the share part. But would like to hide the '90' and try to discourage anyone from just adding random numbers to try and receive a different response.

Any thoughts on how to create something like this, or if something already exists that works well with implementation?

Security is a factor, so just trying to find the best solution out there...

like image 924
Justin Avatar asked Feb 09 '11 01:02

Justin


People also ask

How do I encode text in URL?

URL Encoding FunctionsPHP has the rawurlencode() function, and ASP has the Server.URLEncode() function. In JavaScript you can use the encodeURIComponent() function. Click the "URL Encode" button to see how the JavaScript function encodes the text. Note: The JavaScript function encodes space as %20.

What type of encoding is URL encoding?

Percent-encoding is a mechanism to encode 8-bit characters that have specific meaning in the context of URLs. It is sometimes called URL encoding. The encoding consists of substitution: A '%' followed by the hexadecimal representation of the ASCII value of the replace character.


3 Answers

Hiding the ID is obscurity, not security.

If you want good obscurity, look at the mcrypt functions in PHP. Make sure to append a salt before encoding and decoding, otherwise it will be easy to guess the encryption/decryption.

And be aware that anyone else might still stumble across your URLs, defeating this entirely. I'd use some form of HTTP Auth over HTTPS if you want security, too.

like image 152
Mark Rose Avatar answered Oct 03 '22 23:10

Mark Rose


A friend of mine implemented a method of signing all the GET requests with the current session token and a secret to prevent CSRF attacks.

But what you are trying to do is to have an URL that you can share with other people.

You could create an MD5 hash that resembles the original url, and save both in the database.

Now when /share/someLongId is opened, you can check in the database where to which URL that hash belongs and can redirect the user to that URL.

Another possibility is to use GUIDs instead of auto-incrementing IDs in the first place. That way all the IDs are just longer and not that easy to guess.

like image 35
Sebastian Hoitz Avatar answered Oct 03 '22 22:10

Sebastian Hoitz


Depending on if you need it (the URL) to be persistent or not, you cold do either:

non-persistent: do something like this:

function getLink($id) {
   $random = md5(uniqid());
   $_SESSION['links'][$random] = $id;
   return "http://localhost/share/$random";
}
echo getLink(10);

and then:

function getTrueId($id) {
  if(isset($_SESSION['links'][$id]) {
     return $_SESSION['links'][$id];
  } else {
     die("Unknown link!");
  }

}

This will make links usable only to the current user in current session. If you need it persistent, you can generate random IDs and store them in the database along with real IDs, but this may be pointless, as the random ID can be used instead of real ID to do the same things...

like image 44
StasM Avatar answered Oct 03 '22 23:10

StasM