Solved

Prevention of copying & pasting URL into another browser window

Posted on 2001-06-19
24
263 Views
Last Modified: 2013-12-25
Currently I'm working on a CGI application
After sucessful login, every link in the pages contain user ID and session ID, such as follows:
http://www.abc.com/cgiprog?userid=zxcv;sessionid=AF46G7D2

Now how do I prevent the user from 'calling' cgi pages directly on another browser or on another PC by copying and pasting the URL?

I know how to disable the browser toolbars and disable mouse right-click, but is there a better solution?

Environment: cgi on linux redhat
0
Comment
Question by:defic
  • 9
  • 5
  • 2
  • +5
24 Comments
 

Author Comment

by:defic
ID: 6205684
by the way, cookie usage is not preferred as well. any other better solution is highly appreciated. thanks.
0
 
LVL 5

Expert Comment

by:marecs
ID: 6205806
I can think of a number of ways.

Create a digest of a string made up of REMOTE_ADDR and HTTP_USER_AGENT and embed that in your session ID. That way you can detect movement between machines and browsers.

You can also make sure that HTTP_REFERER always contains your address. Do the session ID's expire?
0
 

Author Comment

by:defic
ID: 6205930
Thank you very much. I've tried REMOTE_ADDR and it's very good for checking client's IP. But for HTTP_USER_AGENT, it contains the browser version only. How do we detect if the user opens another browser window of the same type (e.g. 2 separate IE5 window) on the same machine?

The HTTP_REFERER attribute gave a bit problem.
It returns the address with 254 chars in length, of which the end of the string is truncated. If only the whole string is retrieved in full, this will be a good check.

Yes, the pages do expire.
0
 
LVL 5

Expert Comment

by:marecs
ID: 6205968
If a user copies and pastes the URL to another browser window, then the HTTP_REFERER will not be sent by the browser. Even if you only have the first 254 characters you can still see whether the link was clicked on from your original page.

I just checked if you do a "Open page in new window" the HTTP_REFERER is not sent.

Leave the question open and see what other replies you get. I can't think of anything else.

Chris
0
 
LVL 3

Expert Comment

by:rag2000
ID: 6206727
HTTP_REFERER is the solution
0
 
LVL 3

Expert Comment

by:rag2000
ID: 6206732
you can have a small function at the top in your cgi's that will validate the referer or else exit with a alert message.
0
 

Author Comment

by:defic
ID: 6208942
Does a browser window has it's own unique browser id?
0
 

Expert Comment

by:venkat_rs
ID: 6213478
You can use POST method for submitting the HTML form to avoid these things getting displayed as part of the URL. Suitable handling is required on the server side though.
0
 

Author Comment

by:defic
ID: 6213617
Already using POST method. Problem is that user can still 'right-click' on any links and copy it.

Regarding the 'HTTP_REFERER' attribute, it gaves 'null' for pages that were opened using javascript window.open().
Any other methods to recommend?
0
 

Expert Comment

by:venkat_rs
ID: 6213652
Have a form (using POST method) with 2 hidden variables named 'userid' and 'sessionid'. Write JavaScript code to submit that form with the variables filled in with values, when the user clicks the link.

This way, the user cannot C&P any URL to call the CGI program. But still, the values can be seen by doing View Source. If you want to protect that, you can resort to encryption.
0
 

Author Comment

by:defic
ID: 6213746
Oh, I'm sorry, I was using hyperlink and not FORM POST. The reason that I resort to hyperlink because they look nicer on the main page which acts like a 'menu' (similar to this page on the left frame).
0
 

Expert Comment

by:venkat_rs
ID: 6213760
Hyperlink is fine is what I am saying. All you have to do is to write JavaScript code to mimic the form submission.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:defic
ID: 6213811
Like example please?  something like this?

var programpath;
programpath='/bin/abc';
<a href='a' onclick='window.open(programpath)';>A</a>
0
 

Expert Comment

by:venkat_rs
ID: 6213838
Try something like this :

...
<form method=post name=form1 action="/bin/abc">
  <input type=hidden name=userid value="zxcv">
  <input type=hidden name=sessionid value="1343243">
</form>
...
<a href='javascript:void()' onclick='form1.submit()'>A</a>
0
 

Author Comment

by:defic
ID: 6216741
That's a good idea but I can achieve same result (and probably lesser work) by using HTTP_REFERER, as recommended in the earlier post.
The problem now is HTTP_REFERER is not sent when pages are called using 'window.open()'. You got other ideas?
0
 

Author Comment

by:defic
ID: 6216811
By the way, does the HTTP_REFERER info can be trusted?
Can it be 'changed', or not sent at all in some circumstances?
0
 

Expert Comment

by:venkat_rs
ID: 6216857
I guess HTTP_REFERER can't be trusted.
0
 
LVL 1

Expert Comment

by:th94nn
ID: 6226378
If you use frames you could keep one part of the frame active with userid and password, and each transaction runs a javascript that reads the id and pw and copies into 2 fields into a form, this which the cgi reads.
0
 
LVL 3

Expert Comment

by:monas
ID: 6240951
ok, defic, what are you trying to prevent? Using of your site
from 2 browser windows simultaneously? Then how about
the following approach:

Given you check user/password already, add to that touple yet
another value - key - random value of your favorite lenght.
Change that key on every download of page, and insist on
matching transmitted and stored keys.

The same in "by example" spirit:

You have document

<a href="protected1.html">some protected info 1</a>
<a href="protected2.html">some protected info 2</a>

You supply it by cgi script which:
1) finds that this is user 'smit';
2) if this is a 'home page' then displays it;
3) if this is NOT a 'home page', then checks if key submitted is
the same, as stored in database for user smit;
4) if check is negative - sends complaint page and exits;
5) generates new random key;
6) stores it to database for user smit;
7) modifies href attributes like this:

<a href="/cgi-bin/protector.cgi?doc=protected1.html&key=1234567890">some protected info 1</a>
<a href="/cgi-bin/protector.cgi?doc=protected2.html&key=1234567890">some protected info 2</a>

8) outputs page.

Ok, this WILL NOT prevent me from copy-pasting URL to another
window on the same or another computer. But, as soon I will
hit a link on another window, all the links on the initial window
will become invalid!

Good Look!
0
 
LVL 3

Expert Comment

by:monas
ID: 6240965
Oops, it  WILL prevent from copy-pasting link of page that is
displayed on the initial window, cos at the moment when this
URL could be copied, the key will be invalid already.

What you will be able to copy - is the links on page displayed. But
yet again. If you'll give a link to another window, all the links on original
will become invalid.
0
 

Author Comment

by:defic
ID: 6247313
Wow, good idea. Unfortunately my pages uses a lot of frames and pop-up windows. Refreshing each frames with the correct key can be a problem (not impossible but need some work to do).
Anyway, can I divide and distribute the reward points to you all coz some of you really helped me alot.
0
 

Accepted Solution

by:
jenietcu earned 250 total points
ID: 6680921
hi,
1. you could use post instead of get on your forms,
or
2. you could create another script like authenticate.cgi to prevent user from accessing the actual site

jen
0
 

Expert Comment

by:jenietcu
ID: 6680929
hi again,
sorry i just read that your using link instead of form,
if your using link, then you could always use a javascript or as you say you could disable the browser toolbar so they won't be able to copy it anymore.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6699260
Finalized
Moondancer
Community Support Moderator @ Experts Exchange
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

If you get a (Blue Screen of Death), your system writes a small file called a minidump. Your first step is to make certain your computer is setup to record memory dumps. Right click My Computer, choose properties. Click on the advanced tab, an…
In this tutorial I will show you how to make a simple HTML bar chart with the usage of WhizBase, If you want more information about WhizBase please read my previous articles at http://www.experts-exchange.com/ARTH_5123186.html (http://www.experts-ex…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now