PHP Classes

PHP User Validation using Event Sequences - PHP Secret URL Path package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP Secret URL Path PHP Secret URL Path   Blog PHP Secret URL Path package blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP User Validation u...  
  Post a comment Post a comment   See comments See comments (31)   Trackbacks (0)  


Viewers: 1,448

Last month viewers: 5

Package: PHP Secret URL Path

It is standard practice to authenticate user from a user name and password pair.

If this information is compromised, you can provide an additional layer of security with a secret set of event sequences that the user has to follow to authenticate.

Read this tutorial to learn how to implement this solution in practice.

Loaded Article


Authentication Factors

Using a Sequence for Authentication

Initialization and Validation of the Secret Path

Using the Tracking Variable Key/Value Pair

Working with Dead Ends

A Path to Success


user security


In this article we will be using the PHP Secret URL Path class as a layer of user authentication based on following a correct sequence of links.

This means that it will be shown a solution that can authenticate a user that is able to follow a sequence of links correctly to demonstrate that he is who he says. 

As an additional security layer we can further protect sensitive information.

Authentication Factors

When talking about user authentication it is important to have a basic understanding of authentication factors. Each authentication factor is broken down into what you know, what you have and who you are.

The more factors you require, the more secure the systems. One factor authentication (1FA) uses only what your user knows to authenticate, like a username or password.

Two factor authentication (2FA) uses what you know and what you have, like a secret username and one time password.

Three factor authentication (3FA) uses what you know, what you have and who you are, like a secret username, one time password and a biometric like a fingerprint.

Using multiple factors in the same group is called multiple factor authentication (MFA), so using a username and password pair, both 1FA will give us 1FA MFA.

Hopefully that makes sense, if you want to read more in depth about authentication factors then check out the article PHP Multi-Factor Authentication for Web Development.

Using a Sequence for Authentication

Think of a sequence as the combination on a safe. You turn the wheel to the first correct number, then to the next number and so on until you complete the sequence. If you did it correctly the safe will be unlocked, however if you made one mistake then you are still locked out.

The sequence can be what you know, or if it constantly changes and the user is notified of this one time sequence then it would be what you have. In this article we will be using the sequence as what you know, 1FA, instead of the more complex 2FA.

Initialization and Validation of the Secret Path

For our purposes a secret path is a sequence of user clicks that act like a combination. As long as the user follows the sequence correctly, they can be authenticated. Please refer to the following code which should be included at the top of each page where we have links in the sequence:

include( 'secretpath.class.php' );
if(empty( $_SESSION[ 'secpth' ] )) {
    $path = array(1, 2, 3, 1, 2, 3);
    $secpth = new secretPath( '*', $path);
} else {
    $secpth = unserialize( $_SESSION[ 'secpth' ]);
$validated = $secpth->validatePath();
$_SESSION[ 'secpth' ] = serialize( $secpth );

On the first line we are starting our session where we are saving the user interactions, their click sequence.

On the second line we are including the code from the secret path class.

The next block of code is a logic check to see if we have the class object saved in a session already or not. If it has not been saved then we define the correct sequence, otherwise referred to as a path, and instantiate the class, otherwise we restore the object from the data saved in the session.

The path consists of an array of integer values which can be as simple or as complicated as we want. In this example we are using a very simple path where the user must click on links with the value of 1 then 2 then 3 then 1 then 2 then 3 to be successfully authenticated.

The secretPath class is instantiated with a tracking variable parameter and a path parameter. In this case we are using an asterisk which triggers the class to randomly generate our tracking variable which will result in a different tracking variable for each user per session. We could simply name our variable like this...

$secpth = new secretPath( 'track', $path);

so that the key in our key/value pair would be track, however it is less secure to use the same tracking variable all the time.

Our randomized tracking variable will be 8 characters long, which is the default. We can make it shorter or longer to suit our needs by specifying the length parameter like this...

$secpth = new secretPath( '*', $path, 12);

which will result in a longer tracking variable of 12 characters.

Our next line in the code is where the work is performed by the class, checking to see if the user is on the correct path or not with the validatePath method and returning true or false to our $validated variable.

The last line is where the current state of the class object is saved to the session so that we can start where we left off the next time this initialization and validation code is used.

Using the Tracking Variable Key/Value Pair

Links that we use in our markup which are part of the secret path sequence will contain a tracking variable and a value. The value can be any integer, however if we want our users to succeed then we want to provide at least one correct value in our path. The markup will look like this...

<a href="pageone.php?<?php $secpth->getTrackVar();?>=3">Click Me</a>
<a href="pagetwo.php?<?php $secpth->getTrackVar();?>=1">Click Me</a>

Notice that we use the getTrackVar method to insert the correct tracking variable since we randomly generated it. We also are linking to different pages which is okay as long as each page contains the initialization and validation code discussed in the previous section.

Depending on where the user is currently on the path, either link may be the correct one. If 3 is the next value in their path then the first link is correct or if 1 is the next value then the second one is correct.

Clicking the correct link keeps the user moving down the correct path, however clicking the wrong one resets them. The user won't know that they have made a mistake until they reach the end, expecting the safe to open and it doesn't.

Working with Dead Ends

If a user visits a page without any tracking, you can choose to ignore it and allow them to continue on their path the next time they visit a page with tracking in the same session. Or... you can use the page as a dead end, forcing them to start all over.

Instead of using the initialization and validation code, you will manipulate the object saved in the session...

$_SESSION['secpth'] = '';

All we are really doing here is clearing out the saved object so that the class will instantiate again the next time a tracking page is visited.

A Path to Success

When a user has navigated the path correctly, the $validated variable we are using in this example will be set to true. We can test this in a logic block to trigger whatever we want to happen at the end of a properly navigated path...

if( $validated === true ){
    //user navigated correctly

We can also use validation check code in files where we only want to allow validated users...

include( 'secretpath.class.php' );
if(empty( $_SESSION[ 'secpth' ]) ) {
    die('Access Restricted!');
} else {
    $secpth = unserialize( $_SESSION['secpth'] );
if( $secpth->testAuth() === true ) {
    echo 'Access Authorized!';
} else {
    echo 'Access Denied!';

The first logic block is checking to see if the class object is saved in the session. If it is not, then the script ends without allowing access. You could use a more user friendly approach and send them to a tracking page to start the path.

The next logic block uses the testAuth method to check if the user has successfully navigated the path. If they have then you can allow them in, otherwise you block them.


This simple example of using a secret path as a validation factor is not strongly secure on its own.

If it is used with other validation factors, MFA, it can provide another layer of security. For example, you could have the standard user and password authentication pair for typical access and then include a secret path, unique to that user, which would allow access to more sensitive information.

If the username and password are compromised, the sensitive information is still secure.

If you liked this article share with your colleagues. Post a comment below if you have questions on implementing this simple but useful form of protecting you site from unauthorized user accesses.

You need to be a registered user or login to post a comment

1,615,549 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:


1. Works only with array integer values of 1 to 9. - Joseph Schembri (2016-12-08 19:16)
How to work with array values of both alpha and numeric... - 30 replies
Read the whole comment and replies

  Post a comment Post a comment   See comments See comments (31)   Trackbacks (0)  
  All package blogs All package blogs   PHP Secret URL Path PHP Secret URL Path   Blog PHP Secret URL Path package blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP User Validation u...