Passing variables by URL and security

[alanmusician]

Hello, all,
I am trying to use a PHP script for documentation purposes in an old program written in Clarion. I want to be able to pass template and application ids to the PHP script, which then looks up the help topic associated with those IDs. I am able to do this by launching a URL (in IE) from the program, for example:

[URL unfurl="true"]http://www.ourserver.com/helpget.php?appid=101&tempid=2352[/URL]

The difficulty lies in that I don't want anyone not using our software to be able to access these help files. My tentative solution is to create a key off of licensing information that is stored in our program and encrypt the appid and tempid, and then send both the encrypted data and the key at once. This is, of course, not very secure.

My question is if anyone can provide any ideas on how to properly do this. I would also like to know how to hide the URL when I send it to the browser.

I know very little about web development and have only picked up enough PHP to create the documentation wiki. Any advice or explanation of how this sort of thing is normally handled would be welcome.

Thanks,
--Alan

 

[jpadie]

this is not perfect security but it may be good enough for a static application (such as a help file).

1. create a unique id based on the current time. occlude the id within a longer string.
2. pass the id as a url variable.
3. on the server test that the timestamp is, say, within the last 60 seconds. if not then dump the request. If it is then assign a session variable saying that the user is ok for the time being. retest this variable every page to see whether the user has been absent for, say, more than a few minutes.
4. the redirect the user to a clean url (header("Location: cleanurl");

the security in this method is based on how well you occlude the timestamp. it, of course, does not need to be a timestamp - you could use any other mathematical algorithm. THe value of your data will determine how hard hackers will try to break it!