• 0
Sign in to follow this  
Followers 0

permutating URL?


Question

Posted

Hey, here's the scenario my customers have log ins for this care website that they use. I don't manage those log ins and can't host my page on the same domain. Since this page needs to stay secret, I need to put the link to it behind the log in that's being managed by someone else.

My worry is that people will just copy that link and distribute it once they find that going there directly doesn't require a log in.

Solution in my head : is there such a thing as a permutating URL? Can the URL to my page change every hour or so? This would require customers to log in and click on the button that I design for them rather than go directly to the link.

Other solutions are welcome however I have very limited access to what goes on at the secure domain with the logins.

Share this post


Link to post
Share on other sites

7 answers to this question

  • 0

Posted

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Tonicgoofy' timestamp='1364064863' post='595594040']
Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link
[/quote]

that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='capr' timestamp='1364065545' post='595594054']
that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.
[/quote]

why not, put the password html in a folder with an .htaccess secure by IP and username/password file?
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

Not really secure, but a simple .htaccess setup with specific referrer info required would work. Or you could look for specific cookie that came from their login and require that.

Trying to "hide" is never a secure option.

Share this post


Link to post
Share on other sites
  • 0

Posted (edited)

If you're using ASP/PHP, you could check the referrer URL and bounce connections that aren't coming from the page you expected.

That should make it significantly harder >.>

Either way, you're working outside of best practices >.>

Security through obscurity is not security.

EDIT::
Damnit Budman >.> Edited by articuno1au

Share this post


Link to post
Share on other sites
  • 0

Posted

Thanks everyone. I think this .htaccess solution will work for now. It's much easier than managing separate logins for all the clients. The information isn't very sensitive so i think this minimal security will work.

Share this post


Link to post
Share on other sites
  • 0

Posted

Lets be clear this is not really any sort of security, this could be considered a access control method ;) But not a security feature - I can spoof a referrer in 2 seconds. With cookie check you could verify something that could kind of somewhat make it security - but just checking for cookie of specific name wouldn't be security no.

But these options are better access control than trying hide your site by just changing what url it answers to every so often ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.