Hide GET parameters

Question

I would like to hide the ID GET parameter from my URL after load, yet retain data.

Basically, I'm giving the option for users to make a private page public, but don't want people to be able to see the ID of the Watchlist, because they could then just change the number and see anyone's Watchlists, rather than just the one specific Watchlist which the user has decided to make public.

The original button to make the Watchlist public looks like so:

<a href="watchlist-download.php?id=<?php $watchlist_id; ?>" 
   class="btn btn-primary btn-block download-pdf" title="Download Watchlist PDF">
   <i class="icon-share icon-white"></i> Share Watchlist
</a>

The Watchlist ID is required to populate the resulting page, however (so, for example, the page returns back a list of items associated with the Watchlist ID in the database), so the ID would need to be in the URL (or, it would need to be somewhere) to fetch back the correct content, but the user shouldn't be able to see it in the URL.

I'm not sure if this is actually achievable or not. If you need any more information/code snippets, just ask! Not sure what people will need to be able to solve this, so if you let me know what you need/what's relevant (if anything!), I'll post it up.

Thanks for your help!

Answer 1

If you put id anywhere in the page (whether or not in the URL), its not private anymore. The best way to secure URL parameters is to generate a random hash and save the URL in database against that hash.

Your watchlist URL will look something like /watchlist-download.php?get=e7b3418ab97e75deade429cb8da1dce4 and then lookup the hash in the database and fetch the original URL, parse it internally and give the viewer what it wants.

If this hash is generated only on demand of the content owner, it will also prevent CSRF attacks.

Answer 2

Another suggestion would be to use a random hash, for example md5 which is linked to your watchlist. You can just generate one when creating the watchlist.

To generate a unique md5 hash in php you could use:

$unique_hash = md5(uniqid(rand(), TRUE));

Assuming you have a database table with your watchlists:

id_watchlist | name | hash

And then for example the following contents:

1 | watch 1 | 41ad0f218d400e4a1bcfdf9e762163e7
2 | watch 2 | e82fd1f16c23fd04e7893afc41e6a358

Then you use the hash instead of the id to get the coresponding watchlist.

<a href="watchlist-download.php?hash=<?php $watchlist_hash; ?>" 
   class="btn btn-primary btn-block download-pdf" title="Download Watchlist PDF">
   <i class="icon-share icon-white"></i> Share Watchlist
</a>

For example:

http://www.example.com/watchlist_download.php?hash=e82fd1f16c23fd04e7893afc41e6a358

So in the end it's not possible to just change the id in the url and the watchlist is still accessible with a normal link.

Answer 3

It sounds to me like you want to use $_POST instead of $_GET

<form method="post" action="watchlist-download.php">
<input type="hidden" value="<?php echo $watchlist_id ?>"
    <button type="submit" value="Go">Share Watchlist</button>
</form>

To respond to your other issue, making sure that the user at hand can't see other's videos, you're going to need to create a database, each user will have a unique userID, and when a user goes to a video you will query the database to ensure that the viewed video is associated with the current user. Most likely you will have a table called user_video which will store user_id along with a video_id