Works only with array integer values of 1 to 9.

I am still having a problem

I set for strong reset:
if( $secpth->validatePath() === true ){

Then I comment out line in secretpath.class.php:
//unset($this->userPath);

To monitor user activity I use the following in example.php:

echo "<pre>";
print_r($secpth);
echo "</pre>";

As before I use the secret path 1,2,3,4 with following paths:

Path 1 = example.php?link=1
Path 2 = example.php?link=2
Path 3 = example.php?link=3
Path 4 = example.php?link=4
Path 5 = example.php?link=5

First I send path 1 and I see:

[userPath:secretPath:private] => Array
(
[0] => 1
)
I then send path 2 and 3 and see:

[0] => 1
[1] => 2
[2] => 3

Next I send path 5 and then 4 and see:
[0] => 1
[1] => 2
[2] => 3
[3] => 5
[4] => 4

As you can see, it also stored path 5 and 4
As a result the secret path is wrong and so is not validated

If I send path with wrong tracking variable (test instead of link), it does reset.

If I keep sending path numbers, it just keeps adding it to the array so that the secret path will never be validated.

My intention is that as mentioned before that it behaves as a soft reset without the tracking variable, that is, it does not store the wrong path number but does not reset. This way, you will be validated when the correct path is sent.

In other words then, instead of:

[userPath:secretPath:private] => Array
(
[0] => 1
[1] => 2
[2] => 3
[3] => 5
[4] => 4
)

It should show:

[userPath:secretPath:private] => Array
(
[0] => 1
[1] => 2
[2] => 3
[4] => 4
)

If the path sent is correct, then store it.
If it is not correct, don not store it,

Okay, try this...

if( $this->userPath[$key] != $value ){

array_pop($this->userPath);
break;

This drops the last value if it is wrong while still maintaining the correct path followed so far.

I do have to warn that this is a horrible idea for authentication since a user can randomly press links and will eventually be authenticated since the correct path will build as all incorrect choices between the correct ones are ignored.

Of course if you use the strong reset and links without the tracking variable, the users path will reset if they follow these links.

Dave

Hi Dave

Yes you are correct, but I have other applications other than security.
For security purposes I would definitely stay with the strong reset approach.

Have couple small questions:

usage: secretPath($trackVar,$secPath[,$length=8][,$max=9]);

I believe $trackVar would be the designated "link" tracking variable.
$secPath would be the secret code array.

With respect to $length and $ max, I am not quite sure what you mean.
Could you elaborate for me

Thanks

Here are the param definitions in the class

trackVar = Tracking variable posted in request or * to generate one
secPath = Array of values in set order to authorize access
length = Length of generated tracking variable and/or path
max = maximum value used in path

The class has some random generation features.

You can randomly generate a tracking variable for each session by passing in an asterisk. The length parameter specifies how many characters it will be.

You can also generate a random secret path by passing in an asterisk. The length parameter in this case will be how long the path is and the max parameter is the largest integer to use.

Dave

So you are saying then that $length and $max only relate to when you randomly generate the secret path.

If I do it manually, then there is no length restriction(can be very long) and I can use any numerical value up to what is allowed per my system.

Could you give me an example of how to randomly generate a secret path and tracking variable.
Would it be displayed and would I have to generate the appropriate href links.
I assume it would be different from what is shown in the simple example.php file

Thanks

This article that we are commenting on is about user validation, which is where you would use the random tracking variable. The examples used in the article include how to instantiate and use the class with random tracking.

Generating a random secret path is more about gamification since the user won't know the path. There is an article waiting to be published here that demonstrates this usage. Since I am not sure when it will be published, here are some highlights on using random secret paths.

You could instantiate the class like this...

$secpth = new secretPath('link','*');

This would generate a random secret path using the default length of 8 steps with a maximum integer value of 9 on each step.

You could change the default length like this...

$secpth = new secretPath('link','*',12);

Which now would generate a secret path of 12 steps.

You could also change the maximum integer value to whatever you want, like this...

$secpth = new secretPath('link','*',12,100);

Which now would generate a secret path of 12 steps with a value range between 1 and 100 for each step.

To be sure there is a path to success for your user, you would need to ensure that at least one of the links contains the current correct path. That said, the modification we have made for you and the user reset overcomes this since the user can follow a bad path without being reset.

Dave

Looks good

The $secpth = new secretPath('link','*');

seems to generate only integer values.
How do you get it to generate alphanumeric

I noticed $rndChar did contain alphanumeric but I could only get it to generate integer values

Do I need to do something else

Thanks

The rndChar property is used to generate the tracking variable.

Somewhere in this conversation, I am fairly certain I mentioned that we can get string values in the path manually, however randomly generating them presents a problem.

The biggest hurdle is the huge number of possibilities that can be randomly generated. It is impossible to have static links that will match a randomly generated string, which is why the class was developed to use integers.

One solution would be to have an array of predefined string values which could be used to generate the path. This way the values are known in advance.

Another solution is to dynamically create the links using the randomly generated string values in the path as a reference. This way we can ensure that the links are valid.

The first solution would be the easiest to implement, however the second provides more flexibility and is the truly random approach. If and when I decide to support this in the class, I would probably use the second solution.

At this point, I am not convinced that it is worth the time to develop, since the class operates fine as it was designed, with integers.

Dave

With respect

authHits

I noticed that when I first run example.php that:

[authHits] => 1

I would have expected it to be 0 since no links have been clicked yet.

Can it be set to start at 0

Thanks

It starts at 0, however, where we placed it will increment anytime the validatePath method is ran. If you move it down a few lines, below...

$cycleCount = 0;

It will increment only when the tracking variable is present.

If you also want it to reset back to 0 when the strong reset, resets the user path when the tracking variable is not present, you can set it to 0 in that part of the logic block...

}elseif( $strongReset ){

unset($this->userPath);
$this->authHits = 0;


Dave