Obfuscating URL parameters to prevent users from changing them?

Question

I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).

The way the web page will be called from the browser will be by a simple window.open() call.

When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.

e.g

userlevel=1 //normal user

userlevel=2 //advanced user

In an example full URL would be like so

www.mypage.com/index.htm?id=25215125%userlevel=2%context=full

However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.

Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!

This system will be in a "trusted" environment and this users will have at best average IT skills.

So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.

e.g.

www.mypage.com/index.htm?1sdf908ga90-821098650f8asdg098g0a98

I tested it out on the browser and no complaints so far so I guess I just need to develop a piece of logic to decipher it.

e.g. I could use MD5?

Any examples or ideas?

Thanks

Answer 1

Try Base64 encoding it. https://stackoverflow.com/a/4699739/1088652

That'll shorten it and obfuscate it, so that users can't just throw values in the URL.

Answer 2

Params integrity can be ensured with HMAC. You generate hash using secret key and all the params, you include this hash inside of URL, then at server side you generate hash using same params and compare values.

function generateSignature(array $params, $hmacKey)
{
    // sort the array by key using SORT_STRING order
    ksort($params, SORT_STRING);

    $escapeFunc = function ($val) {
        return str_replace(':', '\\:', str_replace('\\', '\\\\', $val));
    };

    // generate the signing data string
    $signData = implode(':', array_map($escapeFunc, array_merge(array_keys($params), array_values($params))));

    // base64-encode the binary result of the HMAC computation
    $merchantSig = base64_encode(hash_hmac('sha256', $signData, pack("H*", $hmacKey), true));

    return $merchantSig;
}