Are secret query strings a reasonable way to limit access and hide content to a non-secure site?
So I'll say right up front, obviously I know this is not actually secure, don't beat me up over that. I'm just interested in the question from a lazyness standpoint.
I have a website that has some information that I'd like to "hide" from the general public. Nothing important or vulnerable; I just don't really want people to find it and mess with it. I've already got a robots.txt file disallowing all crawling. There are no links on the page (or will be no links from other sites to this one).
example.com takes you to a "You are not allowed access" page, while example.com?real=fun actually gets you the content. PHP will not actually run the page unless the query key/value pair is correct. So is it reasonable for me to assume that no one will find this page by accident, and on the offchance they do, that they won't be able to get into the content?
Yes, I'm lazy, but I'd still like to know.
• edit • I'm not looking for "how to do this". I've already done it. The correct answer would address if there are other basic ways for a person to get into the page which uses this technique.
It'd certainly be a better way of "hiding" something than putting on a password. A password protected site obviously implies there's something hiding behind the fence, while the secret query string essentially gives away nothing.
On the other hand, if the secret string leaks, then your security system is torpedoed. I'd suggest doubling-down and triggering a regular login page if the secret query is provided. Then you can work away without having to keep the query string in view in the URL (and wouldn't show up in other sites' referer logs if you link to anything external).
This way you get the security of a required login, with the extra security of not even having obvious in-your-face "there is secured content here".
"Reasonable" is defined by the context. Novelty page with nothing really sensitive behind it? Sure. Just keep in mind that if you've ever sent the "hidden" link to anyone, they can just as easily post it in some IRC chat room somewhere, or someone can take a peek through your browser history while you're away from your keyboard. Remember, anyone that knows of http://example.com/index.php?real=fun can get there. "Nobody could possibly know" won't help you once they know.
Now, if you're really interested in security you could set up a temporary ID value in a database somewhere, with a randomly generated 6 or 8 character hash and an expiry date (of, say, one day). Email a friend example.com/index.php?real=8AC02F, and he'll have access to that content for a day or so. Write a passworded script to generate a hash and expiry date and store them in database.
Don't forget the cron script to remove expired hashes, you don't want to make a mess of things.
You're relying on security by obscurity. It works up to a certain extent, but you shouldn't count on it. The answer to your question is "yes" it is reasonable, but don't rely on it in production.
The best way to do this would be to use Basic Http Auth to only permit those with login credentials to access the page(S).
A slightly more lazy way would be to display a form with no information, and they would have to enter some random string and submit it. If the string is correct, it would set a session on the server that would allow them to access the page.
If you're not seriously concerned about security and are just trying to keep people off a few pages, you've got a few options. Again, just to clarify, I wouldn't rely on these ideas solely for banking-style security....
- The basic premise of an auth system is to set a cookie or session id that you can check to see if the user is logged in on each page you want to protect. It's not that difficult! Just don't set the value of the session to something that you don't want hijacked.
- Apache can allow you to protect files or folders, which is a quick and dirty way of keeping people out of something.
- There are some very good open source auth systems that can be relatively easily bolted in.
- Simple tuts like this one can give you an entire auth system, basically done and ready to go.
Yes, it's reasonable to assume they won't be able to get into the contents because Apache will see an index.php request and simply deal out the resource. There is no way they can simply just guess what you've hardcoded in the backend server unless it's like some shared web hosting and other users on the server can see the contents of your directory.
Add this at the top of the index.php file for the root of www.example.com
if (empty($_GET)) exit("nothing to see here"); elseif ($_GET['real'] != 'fun') exit("nothing to see here");
You're asking if this solution is "reasonable". Since you obviously don't mean "secure", it's unclear what you do mean. I'm going to guess you mean "possible and easy to implement", in which case the answer is yes. But feel free to edit your question to make it more clear.