#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8

    Arrow Is a redirect safer in PHP or JS for sensitive url


    PHP's header(Location: )
    VS
    Javascript window.location()


    I need to redirect them to a sensitve GET fulled url and back again without them noticing.

    Code:
    www.mydomain.com/loginMe.php?key=cbe2a588d82a10
    Thanks!!!
    Last edited by Toxinhead; March 17th, 2013 at 05:47 PM.
  2. #2
  3. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,066
    Rep Power
    1990
    There's no way that you can send a URL parameter and keep it "secure". Because it's part of the public request, there's nothing that you can do to make it hidden or secure. Any server that request travels through has complete access to it, even if you're using SSL.

    If you want to make this secure send the value via POST and send it to a SSL-secured URL. Don't use GET.

    Can I ask why you need to do things this way? There's probably a better way of doing this then the way that you're thinking of.

    Comments on this post

    • Nilpo agrees
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8
    Hey thx for reply,
    Yeah the key is randomly genrated and only lasts for 15 seconds but is used to login in to multiple domains eg .de .fr .com

    1. User signs on, stores newly generated key.

    2. Redirect to new domain and checks for a db - GET match for the key

    3. If a match signon and repeat


    I am using GET as i couldn't automatically POST data in the header.
    Thanks!!!
  6. #4
  7. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,066
    Rep Power
    1990
    I had a feeling that it might be something like that, and that leads me to offer a different idea on how to do it that will get rid of the redirection.

    Look at using CURL so you can post the info to the second domain behind the scenes so that there's no redirection by the user, and you can easily send values via POST and keep everything secure. When your script gets the response from the other system you can do whatever you need to. This removes the clients redirection so you have complete control over what's happening and doesn't rely on the users browser to do the right thing.

    If you don't want to or can't do it that way then it really doesn't matter if you redirect through PHP or Javascript as they'll both leave the same security holes open.
  8. #5
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8
    Thanks for in-depthness,

    If i create a SSL certificate in the future for all domains, does this ensure that the CURL POST'd data is slightly more secure?
    Would SSL do any help to GET transmitted pages also?


    I just grabbed this from stackoverflow, does CURL give you a response back in real time?

    PHP Code:
    $url 'http://www.someurl.com';
    $myvars 'myvar1=' $myvar1 '&myvar2=' $myvar2;

    $ch curl_init$url );
    curl_setopt$chCURLOPT_POST1);
    curl_setopt$chCURLOPT_POSTFIELDS$myvars);
    curl_setopt$chCURLOPT_FOLLOWLOCATION1);
    curl_setopt$chCURLOPT_HEADER0);
    curl_setopt$chCURLOPT_RETURNTRANSFER1);

    $response curl_exec$ch ); 
    Last edited by Toxinhead; March 17th, 2013 at 06:00 PM.
  10. #6
  11. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,066
    Rep Power
    1990
    Originally Posted by Toxinhead
    If i create a SSL certificate in the future for all domains, does this ensure that the CURL POST'd data is slightly more secure?
    It will make it a lot more secure. When you use GET data it's all transmitted in the URL and not encrypted at all, even with an SSL set up. When you have a request that works through SSL and sends POST values these are encrypted along with the rest of the content so it's inherently a lot more secure.

    Originally Posted by Toxinhead
    Would SSL do any help to GET transmitted pages also?
    Not URL values. SSL encrypts the pages content, not the URL so sending any value via the URL gives no security at all.

    Originally Posted by Toxinhead
    I just grabbed this from stackoverflow, does CURL give you a response back in real time?
    Yes. The curl_exec() is a synchronous call so it blocks the process until it gets a response. In your case this is what you want because you'll know exactly what's come back from the remote site.

    Comments on this post

    • Toxinhead agrees : thx!
  12. #7
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8
    Awesome!, i think i am set to run along now
    Big thanks!
    Ricky
  14. #8
  15. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    Yeah the key is randomly genrated and only lasts for 15 seconds but is used to login in to multiple domains eg .de .fr .com
    The user can only use the key to log into their own account though, right? So you're not actually trying to prevent the user from seeing it?

    I doubt cURL will work for you in this case. If your goal is to initialize sessions and cookies on all of the sites at once, then you can't use cURL because the server running the HTTP request can't set cookies for the other domains even if the other domains tell it what cookies to set.

    When you use GET data it's all transmitted in the URL and not encrypted at all, even with an SSL set up.
    I haven't double checked this, but I'm fairly certain that the URL and the query string *are* encrypted during transfer when SSL is enabled. This is the primary reason why you can't use name based virtual hosting with SSL without special server and browser extensions (the decryption keys belong to a specific vhost, but the web server can't determine which domain the HTTP request belongs to until after the message is decrypted because the URL is encrypted too).
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  16. #9
  17. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8
    Hahahahahahaha i wish i saw your post four hours ago
    OMG I fully undid four hours of code re-modding from cURL attempts back to the GET login method, thanks Notepad ++

    http://forums.devshed.com/php-develo...th-941892.html
    Last edited by Toxinhead; March 17th, 2013 at 10:37 PM.
  18. #10
  19. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    If you are only concerned with someone intercepting and using the value in the 15 seconds that it's valid, there are additional security measures you can take:
    * You can check the user's IP address and browser user agent
    * You can pass a nonce value along with the key (or treat the key as a nonce itself and only allow it to be used once)
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  20. #11
  21. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    225
    Rep Power
    8
    Haha pant* pant* . .

    Sorry its 5 in the morning here and found all this too much
    Thanks for the suggestions, I will implement them, so on my shared hosting plan with hostgator, i would benefit with SSL using this GET method? (i suppose i could ask them)
  22. #12
  23. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,749
    Rep Power
    9397
    Originally Posted by E-Oreo
    I haven't double checked this, but I'm fairly certain that the URL and the query string *are* encrypted during transfer when SSL is enabled. This is the primary reason why you can't use name based virtual hosting with SSL without special server and browser extensions (the decryption keys belong to a specific vhost, but the web server can't determine which domain the HTTP request belongs to until after the message is decrypted because the URL is encrypted too).
    Correct. SSL is set up before the request is sent so it will be entirely encrypted. Doesn't change the fact that the end user can see the URL.
  24. #13
  25. Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jan 2004
    Location
    New Springfield, OH
    Posts
    1,177
    Rep Power
    1469
    Can you tell us what you're actually trying to do? I have a gut feeling there's a bad practice going on here. One site login shouldn't work across multiple sites, unless you're specifically using a service designed for this. (For the simple fact that there are a lot of considerations that need to be addressed in order to make this work securely and reliably.) Even solutions similar to OpenID require a separate authentication for each site.

    In my opinion...logins, sessions, cookies, and anything else for that matter should never be transferred from one domain to another except where exclusively necessary--and then, with only as little information as absolutely required.
    Last edited by Nilpo; March 18th, 2013 at 02:01 PM.
    Don't like me? Click it.

    Scripting problems? Windows questions? Ask the Windows Guru!

    Stay up to date with all of my latest content. Follow me on Twitter!

    Help us help you! Post your exact error message with these easy tips!

IMN logo majestic logo threadwatch logo seochat tools logo