I have a link in my PHP/HTML like this:
<a href="http://search.mywebsite.com/login.aspx?checktype=uid&user=adam&password=pass1234&profile=dart&defaultdb=kts"> Log me into this website </a>
When users click on the link, the parameters are handled by a 3rd party website which log the users in seamlessly.
Is it possible to hide/mask/camouflage the url so that users don't see the parameters while still passing them over to the designated site?
If no, how would you guys go about this? I'm mainly worried about the user and password params and need those hidden. (user=adam&password=pass1234)
The only way i know how to hide params is when using a form post method but in this case it is not an option because im working with a direct link.
EDIT: To those who keep suggesting using a POST method, this is not an option because I'm not using a form and the receiving website is out of my control. I'm logging in from one site to another (3rd party) website
Your only option is to use a form and POST if the page your are logging into is controlled by a 3rd party:
<form action="http://search.mywebsite.com/login.aspx" method="post">
<input type="hidden" name="checktype" value="uid" />
<input type="hidden" name="user" value="adam" />
<input type="hidden" name="password" value="pass1234" />
<input type="hidden" name="profile" value="dart" />
<input type="hidden" name="defaultdb" value="kts" />
<input type="submit" value="Log me into this website" />
</form>
EDIT: If it must be a link and javascript can be required then you can use javascript to create and submit a form on the fly:
<a href="#" onclick="postLogin()">Log me into this website</a>
<script type="text/javascript">
function postLogin() {
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://search.mywebsite.com/login.aspx");
var params = {checktype: 'uid', user: 'adam', password: 'pass1234', profile: 'dart', defaultdb: 'kts'};
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
}
</script>
Don't use $_GET to pass any personal, confidential or crucial data. Use $_POST instead.
I don't know what stops you from using $_POST but if you insist on using it anyway, try md5() to code these data and validate them when necessary. You can always use $_SESSION to pass $_POST login data for further use.
Agree on and encryption/hash approach (MD5 for example). Then have a reprocessing page that decrypts the message before calling the required script. I'm doing this in php... Just to show you the idea.
eg. www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl
preprocessor.php (pseudo code)
$request = $_REQUEST["request"];
$decrypted = mydecryptfunction($request);
//$decrypted will now contain: targetpage=login.php?username=abc&password=34453js&location=ABJ...
//Now you can route the parameters to login.php.
Note that mydecryptfunction($request) is a function you will create.
A login should be done via POST, not GET. Furthermore, sensitive details should be sent via HTTPS.
The process of creating secure login functionality could have an entire book written about it, so I suggest you start out by reading the definitive guide to web-based forms authentication.
If you have further specific questions about security, I suggest you try over at Security.SE.
You can't do this using the GET method. It would be helpful if you gave us more information. Are you trying to get a user from your site to log into another website? In that case, they might have an API for that which you could check.
You can generate tokens for this functions: in your database generate an random string: This is an function which returns an random string
function gt_rnd_str($min=2,$max=9){
$str="";
while (strlen($str)<$max)
$str.=rtrim(base64_encode(md5(microtime())),"=");
return substr($str, 0, rand($min, $max));
}
now save an token with username/id and using this you can easily generate more tokens for same user as well as cancel any token easily..
来源:https://stackoverflow.com/questions/24459984/php-hide-url-get-parameters