0

Hi,

I have developed a site that allows users to post details for others to view. Within this I have built a secure login process that uses cookies to help the user around the site.

However, when using sites like facebook, I notice that I receive emails with links that pnce clicked automatically take me through the verification process (i.e. check my cookie and if not set allow me to logon) and then take me to a specific page, i.e. http://somedomain/somesubfolder/somefile.php?something=lotsofnumbers

I am assuming this page does not actually exist on the server, and the url and numbers somehow work with the session to identify the user then compile the correct data for the user to view.

I would like to implement a similar methodology but have no idea of where to start or to start reading.

Can someone point me i the right direction please?

Many thanks

3
Contributors
9
Replies
10
Views
7 Years
Discussion Span
Last Post by hielo
0

I don't know how Facebook is doing it but a couple of options come to mind:

1. Instead of having a unique page address, have the number as a parameter in the url and use that in a database select to identify the user and get the db info.

2. Have a custom 404 (page not found) page. The page won't really exist so you will get a 404 error when the click the link. If you intercept the error you can then store the last part of the link (that is actually the parm) and then re-direct to wherever module that you have to process it.

0

assuming you have a unique identifier for each person (like an email address or an auto-incremented db id), you can combine it with time() and feed it to md5():

echo $tmp = md5($_SESSION['email'].time());

//you would then save this $tmp key onto a db table (make sure that the field you save it does NOT accept duplicate values) and include in some link.
//when the user clicks on that link, you should see that $tmp again, and then try
//to match it against what you saved on the db
0

removed as reply duplicated

Edited by Thorby68: reply duplicated

0

removed as reply duplicated

Edited by Thorby68: Reply Duplicated

0

Many thanks, this is very much appreciated.

This should afford me even more security and flexibility in my approach.

Many thanks

0

Many thanks, this seems to make perfect sense.

Your help is giving me the idea of creating a number of pre-determined select statements as classes or functions. Then when I require need the user to access a certain class/function I can store the relevant call to the class/function in a table with a unique ID.

I am also thinking I should be able to add the unique reference to the url so when the user clicks the URL I can intercept the reference and call the correct class/function (select) and create the desired view.

I am also thinking that this type of methodology may help me secure my data, because I can first verify the user using their cookie before calling the desired function. So, as often happens, if one user shares the url that i've sent, with another user, I can still call the class/function, but present the data that is pertinent only to the cookie of the user sending the url.

Am I thinking along the right lines here?

0

I don't know what the cookies have to do with all of this. I can go to some url on your site, you assign me a cookie. I share the url with my friend, delete my cookies, then go back to your site with the same url and now you can't match my cookie against my url, so you wouldn't know if it is me or my friend.

The whole point of the url with the numbers is that I am the one who is "primarily responsible" for whatever lies behind your resource. The fact that I chose to share it with my friend is a different issue altogether. You could require a username/password upon accessing that resource, BUT if I really wanted to share it with my friend, I would give him/her that info as well. The reality of the situation, is that you have no guarantee that "the primary person" is accessing that url. So cookies will not help you much here.

0

Many thanks,

you are 100% right, but I insist on the use of cookies by my members. So, even if they delete the cookie, they will need to login again (re-establish the cookie) before they can access the site.

once again many thanks, your help is invaluable.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.