PROTECTING ONLINE EXAMINATION SYSTEMS AND SERVICES

Suggested approach to protecting and handling question and answer based dynamic text in the Lizard Protector secured web content environment

In order to nest dynamic content in a protected web page, a working approach is to use the HTML IFRAME tag in the HTML page that is going to call the dynamic content.   To examine how this may work let us take the following use case, and then how it can be implemented.

The same solution works for PHP, JSP or ASP pages.   There may be an issue if the dynamic pages are displaying images that also need to be secured - they might be cached by IE.   But, as long as the engine is used to protect dynamically generated text, it will be protected.



Use case

I need to set up a dynamic quiz form in PHP.   This form will consist of two parts, the question part, and the answer part.

So I have identified the need for two PHP files: &ldquo quiz.php&rdquo and &ldquo results.php.&rdquo   Quiz.php will display the question and the possible answers (i.e. multiple choice questions), and on use, it passes the answer(s) to results.php which indicates if the answers are right/wrong and also takes further action (such as sending the quiz result by email to a given addressee or posting them to a URL/database for web or other processing).

To keep the worked example below simple, the questions/answers in the PHP files have been nested, but they would normally be retrieved as PHP variables from a database. Not only is retrieving PHP variables from a database a more likely operational scenario, it ensures the questions remain protected since they cannot be accessed directly by the user.



Example

Instead of attempting to rename or protect the PHP pages dynamically, a new HTML page (test.html) is created which is used to call the quiz.php page:

< HTML>
< TITLE> Test File< /TITLE>
< Iframe src=http://www.locklizard.com/quiz/quiz.php width=" 100%" height=" 100%" > < /Iframe>
< /HTML>


Using Protector Admininstrator, the HTML page test.html is protected as a secure web page (HSF product).

When that page is opened using the secure web viewer, Protector Viewer, it calls and then loads the dynamic content referenced in quiz.php.

The recipient can then fill in the quiz answer(s) and submit the form as a normal action.



Sample implementation

Here is the link to file quiz_sample.zip.   It contains the two PHP files and the HTML file listed above.

The HTML file MUST use the IFRAME to call the ABSOLUTE path (e.g. http://www.locklizard.com/quiz/) to the PHP file, otherwise it will not work.   It will not connect through a relative path (e.g. /quiz/).

To test the process you have to upload the PHP file to a folder called " quiz" on the target web site, then protect the test.html as a secure web page (HSF file) and open the protected file with Protector viewer.

To prevent people capturing URLs to directly access the web site, you need to create a login page which will both grant access to this area of the web site (where the PHP forms are held) and establishing a session tracking cookie in order to prevent anyone else from gaining access to this session.   In examination systems it is normal to provide candidates with unique ID/Password combinations since these are used to track individual candidates within the secure system.

Below is some sample HTML which calls the main login page for exams.

< HTML>
< TITLE> Test File< /TITLE>
< Iframe src=" http://mywebsite.com/StudentEducationPlatform/user/login.do" width=" 100%" height=" 100%" > < /Iframe>
< /HTML>

You must protect the HTML page using Protector Administrator, then students can open the protected HTML page using Protector Viewer and login to the exams server.

The login page is therefore only accessible to authorized users through the Protector Viewer, so students must have been granted a license that gives access to this page. This prevents users sharing their ID and password, because on there own they have no value. In IT Security terms this technique is called two-factor authentication - in order to gain access someone must already be authorized and must know separate secrets (the ID/Password) of the system.

The tests and results are displayed securely in Protector Viewer.



Security considerations

Frames use the Internet Temp folder, but if you look in that folder you only see a copy of the file quiz.php, held as PHP code.   The dynamic content (results.php) which is further called by the first PHP call is not cached.

It is possible to monitor and erase the file quiz.php from the temp folder, but that file itself is useless as it doesn't contain the answers or the actions that are going to be taken based on those quiz answers.

If the URLs were copied to a browser such as IE, an attacker would still need to know the username/password for the server login, and when logged in they do not gain access to underlying information.