|
|
 Joseph Schembri - 2016-12-08 19:16:54 It only works with link integer values of 1 to 9
If you include digit 0, it does not work.
If you use in the array alphabet characters, it does not work.
How can we allow both alpha and numeric (0 to 9) in the $path=array() so that it works properly.
Please advise possible changes
 Dave Smith - 2016-12-08 19:49:28 - In reply to message 1 from Joseph SchembriI did reply to your e-mail, however I will also include the response here in case you did not get it.
It is currently designed to use integers, however it can be re-written to work with alphanumeric characters. Understand that it is not limited to a maximum value of 9 though, your integer can be as large as you want within the limit of your 32 or 64 bit operating system, both of which support very large integers. So even though it is only integers there are enough possible combinations to defeat an automated attempt to break it, especially if it is set to strict mode which resets the users combination when they make a wrong choice.
We are using loose boolean logic so that false can be false, null, white-space or zero. I am thinking that you want zero to be true since it adds an additional integer, however it becomes a moot point when you consider that you are not limited to a maximum value of 9. For the ease of programming, zero should equate to false.
Dave
Dave Smith - 2016-12-08 20:08:23 - In reply to message 1 from Joseph SchembriIf you want to include alphanumeric characters, modify the secretpath.class.php file.
Change
$this->userPath[] = (int) $_REQUEST[$this->trackVar];
To
$this->userPath[] = $_REQUEST[$this->trackVar];
This change does not effect the method to generate a random path, only if you manually provide that path. PHP is normally pretty good at figuring out types, however with the type casting removed, I am not fully certain how PHP 7 will handle integers passed as strings. Should be okay, I just have not fully tested it.
Dave
Joseph Schembri - 2016-12-08 21:54:00 - In reply to message 1 from Joseph SchembriThanks for your reply
Did not get email
Alphanumeric now works.
Still having some issue with digit 0
If I put $path = array(1,0);
It does not work
When send link 1 and then link 0, it does not work.
Am I missing something
Dave Smith - 2016-12-08 22:34:42 - In reply to message 4 from Joseph Schembrizero equates to false, empty, no, etc...
You can use zero in any integer like 10, 100, 1000 and so on, just not by itself since it is nothing. You can even now use it in text like '0m', however in text, white-space equates to false, so a space ' ', tab '\t', newline '\n', carriage return '\r' etc... all are nothing in a logical check.
This does create a situation where ' m' (space m) is valid, so we should probably trim the value for consistency...
$this->userPath[] = trim($_REQUEST[$this->trackVar]);
Dave
Joseph Schembri - 2016-12-09 04:16:26 - In reply to message 5 from Dave SmithInstead of 0, I will use '00' and it works OK
and works OK
I noticed that if you click the wrong link, during the sequence nothing seems to happen.
You remain on the example.php page.
Only when you enter the correct sequence does it go to the secret.php page.
As long as you keep entering the wrong sequence you remain on the page until the correct sequence is entered.
This could go on forever.
If the wrong sequence is entered why does it not go to secret.php and have Access Denied.
Since $path is an array I wanted to count the number of link values in the array, If the number of entered links exceeds the count then, I wanted to give an error message to restart the sequence due to error entry.
Unfortunately, until the link sequence is entered, I can only count $path after a validated sequence.
Rather than look for a validated correct link sequence, would it be possible to count the number of links in the array and when the count is exceeded, to display an error message to restart the sequence.
At least this way, you are not there clicking links until you finally do the correct sequence.
I hope I have explained myself.
Would appreciate your help on this
Thanks
Joseph Schembri - 2016-12-09 04:28:19 - In reply to message 6 from Joseph SchembriI had a different thought.
We find the link value sent using:
$num = $_GET['link'];
We then compare this to the first link value in $path array.
If it is the same, no action.
If it is not the same, then we give error message.
As long as the sent value is the same as the corresponding value in the $path array, then proceed as normal.
At least this way, the user is aware of what is happening, especially if a wrong link is sent
Dave Smith - 2016-12-09 07:31:50 - In reply to message 6 from Joseph SchembriIf you are using it for validation, then the idea is that it is a secret. If you try to visit the secret.php page without being validated first, you will not be let in. Once a user follows the sequence correctly, they will remain validated in the session until you use the 'resetAuth' method to remove the authorization.
Keep in mind that the example is just a simple example to see the script in operation. You have the ability to build your links however you want and on multiple pages across your entire site. You can have false leads, dead ends and strong resets. By default the script will reset the users path (strong reset) whenever they follow a link that does not contain the tracking variable, so if your tracking variable is 'trackme' and the link they follow does not contain 'trackme' as a key value pair, then they user gets reset. You can change this behavior by turning off strongReset when validating like this...
$secpth->validatePath(false)
If we are talking about validation, we do not want to give any hints to a user that they are on the correct path or not. If they do not know the path, or even that a path exists, then they fail quietly as they navigate around your site.
In the simple example, we send the user to the secret.php page after they have successfully been authenticated just to show an example of the authenticated user. You do not have to send the user anywhere, you are free to take whatever action you want on success.
If you want to do something if the user is on the wrong path, there is a method 'testUserPath' that does this check and will return true or false depending on if the user is on the correct path. Your code could look something like this...
if( !$secpth->testUserPath() ){
//do something because the user is on the wrong path
}
You can use this to give hints, however that does defeat the purpose of the path being a secret.
There is another article that will be approved sometime, I don't know where it is in the approval queue, which discusses using the class for gamification and not authentication. What we do can be a lot more relaxed if authentication is not involved. The gamification concept is based on users navigating the site, knowing there is a reward if they navigate in the correct sequence, increasing page hits and time users remain on the site while decreasing bounce rates.
Anyway, my point is that you can do pretty much anything you want. The navigation sequence can be as complex or as simple as you want. If you truly want to provide hints, there are methods available like the testUserPath that will allow you to do it.
Dave
Dave Smith - 2016-12-09 08:28:41 - In reply to message 7 from Joseph SchembriI will now attempt to answer your specific questions.
1) Is it possible to count the number of values in the users sequence?
The users sequence is only maintained if they are on the correct path. If they make a wrong choice then their sequence is reset. The count in the users path array will never exceed the count of the secret path.
2) Can we compare the value sent to the first value in the secret path to determine if the user is on the correct path?
This will not work, with $num=$_GET['link'], the value of $num will be whatever link is clicked and may or may not be the first value in the secret path. For example, with a secret path of 1 -> 2 -> 3 -> 4. The user clicks 1 and it matches the first value in the secret path. The user then clicks 2, which is the correct path, however it does not match the first value in the secret path.
What you can do is add a property to the class that will track the number of authorization hits...
add
public $authHits;
after
private $trackVar;
Then increment it in the validatePath method...
add
$this->authHits++;
after
public function validatePath($strongReset=true){
Since we made this property public, you can check its value in your code using...
$attempts = $secpth->authHits;
Whenever the number of maximum attempts is reached, you can do whatever you want...
if( $attempts == 8 ){
//tell the user they failed
}
Dave
Joseph Schembri - 2016-12-09 19:37:30 - In reply to message 9 from Dave SmithYou stated that:
By default the script will reset the users path (strong reset) whenever they follow a link that does not contain the tracking variable, so if your tracking variable is 'trackme' and the link they follow does not contain 'trackme' as a key value pair, then they user gets reset.
I assume this to mean that whenever a wrong link is sent, there is a complete reset so that you must start the sequence again from the beginning even though you may have entered a correct code initially followed by a wrong code.
You then stated that you can change this behavior by turning off strongReset when validating like this...
$secpth->validatePath(false)
I assume this means as follows:
$path = (1,2,3,4)
If I send 1,2, 3, 5 and then 4 that it should be valid.
I tried this but it did not work as I thought.
I had to send 1,2,3 and 4 in the correct order.
Could you please clarify
Also, with respect to authHits, I noticed it just keeps adding up.
Is there anyway to reset this back to 0 when $attempts value is reached.
|
