permutating URL?

By capr
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

capr

Posted
Posted

Hey, here's the scenario my customers have log ins for this care website that they use. I don't manage those log ins and can't host my page on the same domain. Since this page needs to stay secret, I need to put the link to it behind the log in that's being managed by someone else.

My worry is that people will just copy that link and distribute it once they find that going there directly doesn't require a log in.

Solution in my head : is there such a thing as a permutating URL? Can the URL to my page change every hour or so? This would require customers to log in and click on the button that I design for them rather than go directly to the link.

Other solutions are welcome however I have very limited access to what goes on at the secure domain with the logins.

Link to comment
Share on other sites
Enthusiast

Tonicgoofy

Posted
Posted

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

Link to comment
Share on other sites
Grand Master

capr

Posted
  • Author
Posted

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.

Link to comment
Share on other sites
Grand Master

xendrome

Posted
Posted

that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.

why not, put the password html in a folder with an .htaccess secure by IP and username/password file?

  • Nothing Here
  • Like 1
Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Not really secure, but a simple .htaccess setup with specific referrer info required would work. Or you could look for specific cookie that came from their login and require that.

Trying to "hide" is never a secure option.

Link to comment
Share on other sites
Grand Master

articuno1au

Posted
Posted (edited)

If you're using ASP/PHP, you could check the referrer URL and bounce connections that aren't coming from the page you expected.

That should make it significantly harder >.>

Either way, you're working outside of best practices >.>

Security through obscurity is not security.

EDIT::

Damnit Budman >.>

Link to comment
Share on other sites
Grand Master

capr

Posted
  • Author
Posted

Thanks everyone. I think this .htaccess solution will work for now. It's much easier than managing separate logins for all the clients. The information isn't very sensitive so i think this minimal security will work.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Lets be clear this is not really any sort of security, this could be considered a access control method ;) But not a security feature - I can spoof a referrer in 2 seconds. With cookie check you could verify something that could kind of somewhat make it security - but just checking for cookie of specific name wouldn't be security no.

But these options are better access control than trying hide your site by just changing what url it answers to every so often ;)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing