Question

restricting access of a URL to a particular company

Asked by: gdemaria


 My company will allow some of our customers to show pages from our web site from their corporate site.

 So, their company site will call a URL we set up for them that may look something like this...

 www.ourwebsite.com/ACME/bestWines.cfm

 where ACME is the name of the company that is calling the page from the acme.com web site.

 Using this method, I know who the company is (ACME) and can show them their customized list of "best wines"

 
 My question is about security.  How do I ensure that someone does not take this link and use it on another web site?

 What's to prevent anyone from using this same URL from anywhere?  

 If figure anything that I add to the URL, like an ID or Hash would also be copied, so it still doesn't help.

 I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution.  

 Suggestions?
 Thanks!!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2006-11-16 at 09:58:49ID22063308
Tags

access

Topic

ColdFusion Application Server

Participating Experts
4
Points
500
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Hash code
    Can anybody explain the hash code? how is it related to equals() method?
  2. ACM articles
    I have a username and password at ACM (www.acm.org). I'm sometimes doing a search at the digital library and getting resutls. I would like to fetch those results automatically, as it's annoying to save each like. Can someone help me automate it?
  3. WINE 20040213 compile error: "tokenize.c"
    Hello all, I must point out before i start that i dont know any C or C++ or whatever programming languages. I am trying to install WINE-20040213 from source code onto my Mandrake 9.2 machine. I run wineinstall and it runs fine for a while, then comes up with: make[2]: Ente...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: DAJEDPosted on 2006-11-16 at 11:04:38ID: 17958702

You have options:
1) cgi.remote_addr:
      - Check this value, if it is in the list of valid IP addresses for the company, then good
2) setup a login-page:
    - ask for a company ID (that of course only they know)
    - get user name and password
    - verify and let in if all pass your tests
3) Generate a report of their best wines, great a pdf and email it to them on a set schedule (once a week, every 3 hours, etc)

 

by: gdemariaPosted on 2006-11-16 at 12:40:09ID: 17959706


 thanks DAjed, I appreciate your response.  

1) Isn't the IP address in REMOTE_ADDR that of the user?   If so, there is no way for me to determine and manage all the IP addresses of the various people who may visit thier web site.

2) The list of best wines is not something that the companies will have behind a password.  I want to ensure that only ACME company shows the list on their site and no other company is showing it.  They pay for the priviledge of us managing and displaying these pages.   However, the company does not have to ask their user community to login to see it.

3)  The "best wines" scenario is a simplied representation of the site;  the actual data is far more complex and supports things like searching, calculations and more that cannot be done in a static view.


Perhaps an analogy of this would be something like a news feed, stock reports, or weather conditions.  Web sites pay the provider of this information to display it on thier site.  If I cut and paste the weather code out of their home page and try to run it on my home page, would it work?
(the main difference between that and my case is that I have many large pages, not a small page insert like a stock graph that would run from javascript)

Thanks !

 

by: trailblazzyr55Posted on 2006-11-16 at 13:15:31ID: 17960097

to restrict access of a section of the website to only certain individuals or companies you may want to grant permissions on your server so that only users from a given IP address, that IP coming from the 3rd party companies server will be granted access to a given directory.

Lets say you are company A serving to company B which should have access to

www.CompanyA.com/CompanyB/bestWines.cfm

an you are the user going through CompanyB to view that site

well setting up access control to that directory (../CompanyB) such that it will only allow access to that page for requests coming through CompanyB's server. Everyone else not going through CompanyB's server, will not have access to that directory, nor any sub-directories or files under that directory. This only requires you keep track of a limited number of IP's based on the number of companies you're supporting.

You would be setting this ACL (access control list) in your IIS or whatever you're using...
This would not be handled in the code...

 

by: trailblazzyr55Posted on 2006-11-16 at 13:19:14ID: 17960130

this solves the question... "How do I ensure that someone does not take this link and use it on another web site?"

if the request isn't coming from company B's webserver, IIS should be setup to restrict access then to anyone else. This means that I could not then copy the link and use it on my website because that directory is restricted to company B's webserver only.

 

by: trailblazzyr55Posted on 2006-11-16 at 13:28:53ID: 17960241

using the .htaccess you may be able to accomplish this task (for Apache)...

here's an example...

https://www.abdn.ac.uk/diss/webpack/factsheet20.shtml#section20.3

 

by: trailblazzyr55Posted on 2006-11-16 at 13:35:14ID: 17960311

 

by: gdemariaPosted on 2006-11-16 at 14:05:56ID: 17960648


 Hi Trail,

 Thanks for all that good information.

 I'm curious which IP address would my IIS receive if a user is browsing CompanyB's web site and Company B uses a hidden iFrame or a simple link to display pages from our (Company A's) server.  Wouldn't the IP address IIS gets be that of the user not of Company B?

 My preference would be a software approach, simply because the task of setting up a new company (Company D, E, etc) is entirely automated and I would prefer not to have to configure IIS every time we get a new client.   We also have hundreds of clients, doing it in IIS may be a bit much perhaps?  Not sure..

 Thanks again for putting so much thought into it

 

by: trailblazzyr55Posted on 2006-11-16 at 14:24:44ID: 17960785

With a 3rd party software you're still going to have to configure something for each company I think, especially when initializing it and adding the companies you currently support, if any yet if this is something new... not 100% sure, I guess it depends on the software. I don't know of any off-hand that would do this automatically, although that's definitely not to say there isn't. With IIS it may be a task of getting all your currently supported companies in there, even if you purchase something, you'll still have to update it with the companies you currently support.

With hidden iFrames, they are still located on Company B's server. If a user is browsing company B's site, which is communicating with yours, they are still the middle man. The request still hits company B first coming from the user, which is then requesting from your server. May have to test everything to be 100% sure, however I'm pretty sure company B would still be the middle man.

As far as automation, I'm not sure what software would automate the process of access control to your webserver, and in the case of Company B using an iFrame which is pulling from your server, it'd still have the same issue as configuration through IIS, however I don't think there'll be a problem there. A simple test should clarify that pretty quick.

If you test post your results, it'd be good info for future users reading...

 

by: hammond_davidPosted on 2006-11-16 at 16:29:26ID: 17961735

I don't think there's any way to do this (elegantly, at least) without requiring server-side programming on the customer's server.  That is, you can require a id or hash in the url, but on the customer's site they would need to call the url from the server using cfhttp (or whatever equivalent they have available) to print the results to a page that hides the url from users.  What you are essentially providing is a web service.  Ideally you would provide the data as xml and allow the customer to display it any way they like.  Of course to make it as simple for your customers as possible, you would want to provide templates in a variety of programming languages (coldfusion, php, etc) that would do the work for them.

I hope that helps!
- David

 

by: gdemariaPosted on 2006-11-16 at 18:50:43ID: 17962179


 Hi Trail,  When I said software, I was actually thinking coldfusion coding.  As in checking some type of authentication or something.

 Perhaps I could embed some javascript into the page that ensure its being run on a particular domain? ... but then again, would the domain still be my company since it is actually being run there :)

 Or an authentication key based on time stamp, but I don't want the client customer to have to do any coding (as in generating the hash and passing it to me).

 David may be right, no easy way...

 David, there's no way that I can supply data to the customer and ask them to code.  The application is far to complex, its part of our bread and butter to keep the data to ourselves and present it in the way we do.  (Its far more than the "best wines" I indicated in the question).

 

by: hammond_davidPosted on 2006-11-17 at 07:21:59ID: 17965729

I understand what you're saying -- it's a full application, not as simple as a news feed.  The only really secure solution would be to provide your client with a script that authenticates the client and does the appropriate http gets and posts to access the application on your server.  Other than that, you're relying on javascript (you might be able to check top.location.href to make sure it is within a frame that is hosted by an authorized client), or on the http_referrer, both of which rely too much on the client browser to be truly effective.

Good luck!
- David

 

by: substandPosted on 2006-11-17 at 08:01:28ID: 17966146

You mentioned that "I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution."  

I've never noticed it not populated, but supposing that it isn't, is it always populated when coming from your clients?  If so, you can still use it, and if it isn't populated sometimes, don't show the info.  

I think that is your best bet, given that you don't want to simply provide a webservice for them (where you could request authenitcation).  But, even that can be spoofed.

 

by: hammond_davidPosted on 2006-11-17 at 08:29:53ID: 17966422

substand, I'm not sure what you mean when you say that a web service can be "spoofed".  If a webservice is accessed via https, then it is pretty darn secure.

The only thing I would note about this is that even if the content is passed securely to the client, it is then only as secure as your client's website :-)

That said, I agree that to keep the honest people honest, checking the referrer *should* work.  The problem is that it depends on the browser to send the referrer properly, and it would be very easy for someone to forge the referrer header on their request.

- David

 

by: gdemariaPosted on 2006-11-17 at 08:33:49ID: 17966468


 Thanks substand,
 
 I set up a little test to save the CGI.referrer for each vistor accessing our site (accessing our site through our hosting clients).   We do currently have a bunch of hosting sites set up without security.

 My logs show that the CGI.referrer is inconsistent.  Sometimes it's blank.   I see two reasons for this

 1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer.  

 2) I did some research on this and read that the referrer is not always supported by some web servers.  This was very surprising to me, but I did see a blank referrer by some companies that have our page in a frame.  So I am not sure how this happens but it appears to.

 Curious..

 

by: gdemariaPosted on 2006-11-17 at 08:41:19ID: 17966540


 My latest thinking is that I've been looking at how embeded javascript such as google ads and livehelp and the weather, news, etc are all working.  I grabbed a couple of these from other sites and placed them on mine for a quick test and of course, they did not work.

 I am wondering if I can take the technology they are using and apply it to my situation.

 Perhaps I can give them a block of javascript code that will create an iFrame sourcing my web site.  The javascript code would exist on my server and somehow check who they are (the same way Good Ads and LiveHelp does).  

 If the hosting company is using frames (and doesn't want the iFrame approach) perhaps I can have them place some other javascript in their frame, something that I can test for in the parent.window dom again using javascript.  Of course it seems this might be able to be stripped out by a savvy user.

 Thoughts?    Again, all input is very much appreciated :)

 

by: substandPosted on 2006-11-17 at 08:48:50ID: 17966596

David,

I didn't mean the webservice could be spoofed... I meant that to refer to the referrer.  Sorry for the confusion.

gdemaria:

You said "1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer."

I was thinking you only wanted to show it when linked to from their site, or embedded in a frame, or whatever.  In that case, they should always be sending the referrer.  Yes, if someone bookmarked it, then it wouldn't show... but I thought that was precisely your point.  Sorry if I misunderstood.

You also mentioned something about google ads -  In my experience, wherever I place them they work ... so I'm not sure what you're getting at there.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...