prevent url tampering in php

Question

This is a test engine application with 5 papers set by me..as 5 php pages

Flow of the application

Login.html

check.php // to check whether credentials r right

if correct then

main.php //user clicks on "take test" in this page which displays him 1 of the 5 papers...

but once i am logged in i can just change the url to the url of the test paper i want..the paper names r 1.php 2.php....

how do i stop this...??

if(!isset($_SESSION['page'])//Tp
        continue;           //Tp
else
 {
   header('Location:login.php');
   exit;
 }                               //Tp
$_SESSION['page']=$_SERVER['SCRIPT_NAME'];//tp

is this correct...as i said there are 5 pages....

in eac page i have this code....

i check whether the Session variable is set....if it is set...it means it already has visited the page.....but this code doesnt work...did i use the variable _SESSION['page'] before declaring it???

Answer 1

The best way is to build true authentication and authorization into your application. Then the URL that serves the paper needs to verify that the user is allowed to view the page before serving it.

Whatever you are doing in check.php, do it on the paper page itself.

Answer 2

Lots of alternatives. A couple:

• Don't encode the name of the paper names in the URL but return the contents of the selected paper from a page called, say, test-paper.php.

• track the papers the user is entitled to see in the user's session. Check in each test paper page whether the user is allowed to see this one and return a 403 Forbidden (or an error page) if they're not.

Many more, I'm sure.

Answer 3

The problems you're having could mostly be solved by arranging your code around a default handler script. (see my guidelines below.)

There are two basic ways to pass information to such a script (as I said in a comment above). The basic way is via a GET variable, like http://www.example.com/main.php?p=1.

If you want to have more visitor-friendly URLs, you can use a RewriteRule in an .htaccess file to convert the nice URLs into the URLs that your handler will understand. (You'll need mod_rewrite enabled.)

This may be overkill for this particular question, but here are a few guidelines for secure web apps. I think they're all relevant:

1. Put your sensitive information outside of the public web root.
2. By default, don't display any information. Only enable the displaying of information if the user is positively authorized.
3. Ideally, this includes URLs (if they type in a valid URL but they're not authorized, don't let them know they've reached a valid URL). One way is to redirect (set the location header like you were doing) to the login page if they're not authorized.
4. Create a default handler script. This central script will include all needed files and call all the needed functions. Pass all request information to this handler, and have it output all the HTML.
5. Requirement for #3: Encapsulate your code in functions and classes. That way, your default handler can call them when it's ready, only if you need them, and not simply because they happened to be included. This allows you much more control over the flow of your app.
6. Instead of echoing HTML in random places throughout your code, return all HTML output to your main handler, which will collect it and output it all in one place when it's ready. Random echos scattered around make it easier for security holes to crop up.
7. Don't trust user input. If you're going to use a value you get from $_GET or $_POST, make SURE it's a valid value before you use it.

---

Edit:

(This is more specific and directed toward your code as it is right now)

There are 3 reasons your code won't run as you expect it to:

1. You left out a closing parenthesis on the first line if(!isset($_SESSION['page']).

2. The way your code is written, if $_SESSION['page'] is already set when the user visits the page, they will be redirected to the login page. You can fix this by putting the header('Location:login.php'); exit; in the if clause and removing the else clause completely:

   if(!isset($_SESSION['page'])) {
      header('Location:login.php');
      exit;
   }
   $_SESSION['page']=$_SERVER['SCRIPT_NAME'];
   

3. You need to set $_SESSION['page'] when they first log in so they will be able to view the first page.

I'd recommend using an integer for $_SESSION['page'] instead of the script name. That way, you can set $_SESSION['page'] to 1 when they log in, and each time they successfully view a page, increment $_SESSION['page'] by one. Consider $_SESSION['page'] to mean the next paper this user is allowed to view.

You can set a $pageid on each paper. Each time they try to view a page, if $_SESSION['page'] is less than $pageid, don't let them view the page.