Protecting the url location browser view

flashman

Hello,

i need help to understand and make the following thing: how can i protect the url variables using in the requests, to make them invisible or completly confusing for the browser location site users?

If i´m using variables like 'user' and 'password', my script is showing this data in the url, and it cant do that!

Sample:

At one page, a form whith the '$user' and '$password' variables, sending by the GET method, requesting the 'login.php' file.

When this form is processed, at the browser location shows 'http://site.com/login.php?user=me&password=123' How hidde this from the user, by crypto or something? And please, don´t tell me about the POST method.

Anon

whats wrong with POST ? thats what its for ?

Anon

Use POST method and remember, variables will be stored in the POST array (example, $POST["name"], $_POST["password"]).

H.L.

rrijnders

Even if you hide it in the address box, the user will still see it on the status line when they put the mouse pointer over the link. And even if you use javascript to keep that from happening, the user can still see the information if they "view page source" on the web page.

What you are doing is just not very secure. If you need to store passwords and user id's for your script to run, store them in session var's or a DB instead.

That said, you can superficially hide your info by using frames to keep it from showing up in the address box and javascript to keep it from showing up on the status line.

-- Rich

Anon

or just use POST ?

rrijnders

He said that there is some reason that he does not wish to, or can't use post. The answer was given relative to his question, not your preference.

flashman

That´s it Richard.

I know POST, but i have seen tousand of websites using GET, where the PHP variables can´t be understood by the user. Plus, my aplication use something like that, and i still don´t know how can i do hidde this information.

if (case_one) {
header('location:' . 'page_one.php?usuario=$user&password=$password');
}
else {
header('location:' . 'page_two.php?user=$user&password=$password');
}

So, how can this be done?

And i will not use frames, javascript or any other resource: just html and php.

Richard A. Rijnders wrote:

He said that there is some reason that he does not wish to, or can't use post. The answer was given relative to his question, not your preference.

Anon

I think session would be the most useful thing. All variables and values are stored on the server, the client doesn't have any trace of them in the source. The only thing he has is a cookie or a " PHPSESSID=<session id> " in the location bar (example : secure_page.php3?PHPSESSID=34de892343de545r45g4t, something like that)

See http://www.php.net/manual/en/ref.session.php

If you still want to have the variables and values in the location, you can encode them. I don't suggest you to use it, but you can use base64_encode() (http://www.php.net/manual/en/function.base64-encode.php) to encode values and base64_decode() (http://www.php.net/manual/en/function.base64-decode.php) to decode them.

But I think sessions would be better... Ask for user and password, check them, if ok, create session and store values... on each page, check if the stored values are ok...

flashman

OK, i will take a good look at sessions then. Thank you.