Malicious Redirect

CorneliaYoder

I run a small game that is played through a browser. In it, I allow players to provide a URL of an image which is then displayed on a certain page within the game when other players view that page.

One of my players has found an exploit and I can't figure out how to prevent it.

He provides a URL that is a legitimate image on his server. Then he uses .htaccess to redirect anyone who views that image, using Redirect 301 /image.png http://example.com/scripts/logout.php

Apparently, this says "Setup a redirect with HTTP status 301 (moved permanently) whenever someone visits /image.png on this server, to http://example.com/scripts/logout.php instead.

Thus any player who views his image is logged out on the next action they take.

How can I control and prevent this?

CoderDan

quick and dirty: add a confirmation to the logout page. so opening the page alone does not log them out.
I'm sure when I wake up some more I can come up with something more elegant.

CorneliaYoder

That's an excellent idea for a quick fix!

Would you be kind enough to post a quick piece of code showing how to do that at the beginning of a script, rather than on a submit?

Also, if a player clicks NO, will that kill the script and therefore the redirect as well?

CoderDan

what i mean is that when a user goes to logout.php that in itself does not log them out, but asks for a confirmation.
I assume clicking logout takes them to logout.php which logs them out.
instead, clicking logout takes them to logout.php, which then asks them to confirm logout.

CorneliaYoder

Yes, I understood that, but I don't know how to ask for a confirmation in this situation. Is there a popup thingy, or should I just code my own html form?

CoderDan

Simplest method is a form that says 'are you sure you wish to logout' and they click a button, that posts to logout to complete the process.
Now, it's entirely possible for this to still be 'faked', however more difficult.
If you want to add another layer, you can add in a 'secret code' (although this could also be done instead of confirmation) that does something like this:

$logout_code = md5( 'logout_code'.$user_id );

which you send as the value of logout, ie:

<a href='logout.php?code=<?php echo $code?>'>logout</a>

and then recreate this code in the logout.php script to confirm logging them out.
This would give every user a unique code for logging out that the 'spoofer' couldn't duplicate.
And, now I'm awake, is a far better method than having a confirmation form on the logout page.

CorneliaYoder

I appreciate all the ideas, and don't mean to be hard to please, but....

The code idea puts the onus on each player to logout and enter a code. Half of them don't bother to log out anyway, just close the window, so the extra effort to enter a code would just push the rest of them to do the same.

Is there no way in my own code that I can prevent this redirect?

CoderDan

this puts no onus on the player.
The code is generated by your code and invisibly appended to the logout action
it is then generated a second time, again by your code (within the logout routine) and if it matches, logout is performed (which is the usual expected behavior)
If, however, someone tries to make the user call the logout page (via an image, or some other client side interaction) then they don't know the code (unless they look through the source of your page and dig it out of the logout link in teh resulting html code, but that's a whole 'nother story, and requires them getting malicious javascript onto the players browser, which if they can do that you have bigger problems) so as they don't know the code, they can't send the user to the logout page with the code, and the logout check will fail.