PHP - hide url (GET) parameters

Question

I have a link in my PHP/HTML like this:

<a href="http://search.mywebsite.com/login.aspx?checktype=uid&user=adam&password=pass1234&profile=dart&defaultdb=kts"> Log me into this website </a>

When users click on the link, the parameters are handled by a 3rd party website which log the users in seamlessly.

Is it possible to hide/mask/camouflage the url so that users don't see the parameters while still passing them over to the designated site?

If no, how would you guys go about this? I'm mainly worried about the user and password params and need those hidden. (user=adam&password=pass1234)

The only way i know how to hide params is when using a form post method but in this case it is not an option because im working with a direct link.

EDIT: To those who keep suggesting using a POST method, this is not an option because I'm not using a form and the receiving website is out of my control. I'm logging in from one site to another (3rd party) website

Is having the user log in not an option? What is making you pass a username and password in the url? Also, why would you have the password in plain text? — Brett Santore, Jun 27 '14 at 20:08
individual log in is not an option because theres only one (enterprise) account on the 3rd party site that our entire department uses to log into with. It's kind of like one login fits all. I just discovered this vulnerability and need to find a way of resolving it. — Emir Memic, Jun 27 '14 at 20:15

score 8 · Accepted Answer · edited May 23 '17 at 12:32

Your only option is to use a form and POST if the page your are logging into is controlled by a 3rd party:

<form action="http://search.mywebsite.com/login.aspx" method="post">
   <input type="hidden" name="checktype" value="uid" />
   <input type="hidden" name="user" value="adam" />
   <input type="hidden" name="password" value="pass1234" />
   <input type="hidden" name="profile" value="dart" />
   <input type="hidden" name="defaultdb" value="kts" />
   <input type="submit" value="Log me into this website" />
</form>

EDIT: If it must be a link and javascript can be required then you can use javascript to create and submit a form on the fly:

<a href="#" onclick="postLogin()">Log me into this website</a>

<script type="text/javascript">
function postLogin() {
    var form = document.createElement("form");
    form.setAttribute("method", "post");
    form.setAttribute("action", "http://search.mywebsite.com/login.aspx");

    var params = {checktype: 'uid', user: 'adam', password: 'pass1234', profile: 'dart', defaultdb: 'kts'};
    for(var key in params) {
        if(params.hasOwnProperty(key)) {
            var hiddenField = document.createElement("input");
            hiddenField.setAttribute("type", "hidden");
            hiddenField.setAttribute("name", key);
            hiddenField.setAttribute("value", params[key]);

            form.appendChild(hiddenField);
         }
    }

    document.body.appendChild(form);
    form.submit();
}
</script>

I shall work with this and see how it goes. Thank you. – Emir Memic Jun 27 '14 at 21:32 — Emir Memic, Jun 27 '14 at 21:32

score 2 · Answer 2 · answered Jun 27 '14 at 20:12

Don't use $_GET to pass any personal, confidential or crucial data. Use $_POST instead.

I don't know what stops you from using $_POST but if you insist on using it anyway, try md5() to code these data and validate them when necessary. You can always use $_SESSION to pass $_POST login data for further use.

Justjyde · Answer 3 · 2014-06-27T20:17:42.717

1

Agree on and encryption/hash approach (MD5 for example). Then have a reprocessing page that decrypts the message before calling the required script. I'm doing this in php... Just to show you the idea.

eg. www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl

preprocessor.php (pseudo code)

$request = $_REQUEST["request"];
$decrypted = mydecryptfunction($request);
//$decrypted will now contain: targetpage=login.php?username=abc&password=34453js&location=ABJ...
//Now you can route the parameters to login.php.

Note that mydecryptfunction($request) is a function you will create.

edited Jun 27 '14 at 20:17

answered Jun 27 '14 at 20:11

Justjyde

328
1
3
13

That's a valid solution only problem is that i don't have control over the receiving website handling the login request. – Emir Memic Jun 27 '14 at 20:21
If there is an option of using SSL, go for it. Your options are limited if you don't have control over the receiving website. You may suggest this possibility to them. – Justjyde Jun 27 '14 at 21:09

score 0 · Answer 4 · edited May 23 '17 at 10:29

0

A login should be done via POST, not GET. Furthermore, sensitive details should be sent via HTTPS.

The process of creating secure login functionality could have an entire book written about it, so I suggest you start out by reading the definitive guide to web-based forms authentication.

If you have further specific questions about security, I suggest you try over at Security.SE.

edited May 23 '17 at 10:29

Community

1
1

answered Jun 27 '14 at 20:10

Polynomial

25,567
8
75
106

I understand that. My apologies for not being clear enough in my first post. I've edited the questions by mentioning that i do not have control on the receiving end. It's a 3rd party website. – Emir Memic Jun 27 '14 at 20:48

score 0 · Answer 5 · answered Jun 27 '14 at 20:18

0

You can't do this using the GET method. It would be helpful if you gave us more information. Are you trying to get a user from your site to log into another website? In that case, they might have an API for that which you could check.

answered Jun 27 '14 at 20:18

gustavormello

1

Yes, im logging in from one site to another and they don't have an API – Emir Memic Jun 27 '14 at 20:19

score 0 · Answer 6 · answered Jun 27 '14 at 20:19

0

You can generate tokens for this functions: in your database generate an random string: This is an function which returns an random string

function gt_rnd_str($min=2,$max=9){
    $str="";
    while (strlen($str)<$max) 
        $str.=rtrim(base64_encode(md5(microtime())),"=");
    return substr($str, 0, rand($min, $max));
}

now save an token with username/id and using this you can easily generate more tokens for same user as well as cancel any token easily..

answered Jun 27 '14 at 20:19

Shubanker

2,415
16
23

I don't have access/control to the receiving website to do any decoding. – Emir Memic Jun 27 '14 at 20:23
If you dont have access to website there is no secure way to do this one thing you can do is shorten the link but it will not help hiding them from an geeky guy. – Shubanker Jun 27 '14 at 20:31
What if i were to create a form that stores the title, url, and parameters inside a database. Then in php build a foreach loop that generates a form for each url(including the params) but only renders the title/link that point to "http://search.mywebsite.com/login.aspx"? In that sense, each click of the link will do a post submission. Thoughts? – Emir Memic Jun 27 '14 at 20:40

score 0 · Answer 7 · answered Mar 22 '20 at 14:19

You can use iframe with URL of the page and style it to fill parent and remove border.

    <!DOCTYPE html>
<html>
    <body>
        <iframe id="win" src="bookmarks_3_22_20.html" frameborder="0">
        </iframe>
        <script>
            this.onload=function(){
                document.getElementById("win").style="width:"+window.innerWidth+"px;height:"+window.innerHeight+"px;";
            }
        </script>
</body>
</html>

PHP - hide url (GET) parameters

7 Answers7

Linked