Jump to content



Photo

permutating URL?

url

  • Please log in to reply
7 replies to this topic

#1 capr

capr

    Neowinian Senior

  • Joined: 01-July 05

Posted 23 March 2013 - 18:42

Hey, here's the scenario my customers have log ins for this care website that they use. I don't manage those log ins and can't host my page on the same domain. Since this page needs to stay secret, I need to put the link to it behind the log in that's being managed by someone else.

My worry is that people will just copy that link and distribute it once they find that going there directly doesn't require a log in.

Solution in my head : is there such a thing as a permutating URL? Can the URL to my page change every hour or so? This would require customers to log in and click on the button that I design for them rather than go directly to the link.

Other solutions are welcome however I have very limited access to what goes on at the secure domain with the logins.


#2 Tonicgoofy

Tonicgoofy

    Neowinian

  • Joined: 16-February 09
  • Location: California

Posted 23 March 2013 - 18:54

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

#3 OP capr

capr

    Neowinian Senior

  • Joined: 01-July 05

Posted 23 March 2013 - 19:05

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link


that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.

#4 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 8
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 23 March 2013 - 19:11

that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.


why not, put the password html in a folder with an .htaccess secure by IP and username/password file?

#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 March 2013 - 20:30

Not really secure, but a simple .htaccess setup with specific referrer info required would work. Or you could look for specific cookie that came from their login and require that.

Trying to "hide" is never a secure option.

#6 articuno1au

articuno1au

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 23 March 2013 - 20:32

If you're using ASP/PHP, you could check the referrer URL and bounce connections that aren't coming from the page you expected.

That should make it significantly harder >.>

Either way, you're working outside of best practices >.>

Security through obscurity is not security.

EDIT::
Damnit Budman >.>

Edited by articuno1au, 23 March 2013 - 20:35.


#7 OP capr

capr

    Neowinian Senior

  • Joined: 01-July 05

Posted 23 March 2013 - 23:58

Thanks everyone. I think this .htaccess solution will work for now. It's much easier than managing separate logins for all the clients. The information isn't very sensitive so i think this minimal security will work.

#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 24 March 2013 - 02:23

Lets be clear this is not really any sort of security, this could be considered a access control method ;) But not a security feature - I can spoof a referrer in 2 seconds. With cookie check you could verify something that could kind of somewhat make it security - but just checking for cookie of specific name wouldn't be security no.

But these options are better access control than trying hide your site by just changing what url it answers to every so often ;)



Click here to login or here to register to remove this ad, it's free!