Stopping people from brute forcing URL / UUIDs

[eluser]dcunited08[/eluser]
Have you ever thought of keeping taps on the last page and allow access to each of these pages only through certain pages (main page, search, etc.)? I used to work on a web scanner and it figured out really quickly when the site allowed incrementing to pull the next page but tended to run into issues if there was an order required to access certain pages.

[eluser]RS71[/eluser]
Thank you all for your replys

@dcunited08

I sorta had this in mind, I'm a bit hesitant though... would it affect performance too much? Also, how do you suggest I go about this?

[eluser]dcunited08[/eluser]
RS71,



Something like the following:

Code:

//fires on hook post_controller
function set_last_url_cookie{

$ci = get_instance();

$ci->session->set_userdata('last_uri', $ci->uri->uri_string);
}

function __construct()
{
  if(!in_array($this->session->userdata('last_uri'), array('search','MainPage')){
     show_error('please return to the main page'); //you could redirect to home page or show 404
}
}

For more information on storing the last url, look here.

The biggest problem with this option is that the user can not use a link to the page. I am not sure why you are attempting to do this, it may anger your customers but this is how I would do it.

[eluser]dcunited08[/eluser]
Another option I just thought of would be to change the link by multiplying a large number and the id and then dividing to find the ID on the next request.

Code:

// for link
site_url("details/". $id * 123456);

function get_data_by_id($id){
//check to make sure the id has been obfuscated
$id = (($id % 123456) === 0) ? ( $id / 123456 ) : $id;

//rest of code here

Almost all options could be figured out and automatically replicated but the time it takes to figure it out, without a tool, is much greater.