Solved

URL encryption

Posted on 2002-05-23
17
478 Views
Last Modified: 2007-02-12
I am setting up an ecommerce site and i would like to encrypt the URLs so that users cannot guess the URL of my purchase order forms.

Can anybody tell me a way to do this?

Thanks
Trig
0
Comment
Question by:trigabert
  • 4
  • 4
  • 2
  • +4
17 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7030428
URL is always public. Dot.
You may use some kind of redirection on your server, either with URL-redirection, or with a CGI.

Or use protected website.
0
 

Author Comment

by:trigabert
ID: 7030510
But, in hotmail for example you cannot guess the URL of your inbox folder and type it in to go straight there.  How did they do this.  Symbols come up, is there a way of doing this.  I think thee are algorithms or something

Thank you
trig
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7030640
of corse you may generate random URLs, which use static files being deleted after a timeout.
But this is still a valid, not encrypted, URL.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7031581
Using the Hotmail example...

1)  You login
2)  You are redirected to a temporary URL containing your Inbox

This URL is then valid (as long as your login hasn't timed out) to get to your Inbox.

Sounds like you need to setup some form of authentication, so users can only get to these forms if they login.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 7031853
There are many systems that non-guessible temporary URL's.

One example is the one you cited, hotmail.  The other is something like BroadVision or MicroStrategy which use dynamic content (jsp's, cgi's, etc.) and a sessionid=<blah> type semantic in the URL.

Exatly how you want to do this depends on exactly what the underlying technology is.

The salient point, however, is that you need a strong random number generator to generate the randomness.
0
 

Author Comment

by:trigabert
ID: 7032029
how do I do this.  I am using an Apache web server with SSL to encrypt the channel.  How do I get a strong random number generator to generate the randomness
Thank you
 Trig
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 7032995
If you're on Linux or BSD, you've got /dev/random, which you can use as a seed to drand48().

If you're on another platform that doesn't have /dev/random, it's a little harder, though those functions with seeded with a few things like the user-id, the time of day, etc. is probably fine.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7035829
trig - Just use some dynamic content generator (cgi is great for this - just be sure to use the POST method, as the GET method causes the form datqa to be part of the URL) for the pages you don't want folks to be able to access directly.

Example:  A simple script that directs users to a specific personal portion of the website - just make a cgi called mypages.cgi (or whatever you want to call it), make the users enter some sort of specific identifying info on the page (and shove a cookie at them if your content isn't required to be ultra-secure).  If you want multiple pages to behave this way, make your cgi generate them all, using the cookie as reference.

A scheme involving a unique-ID URL that expires quickly (like chris is talking about) will do what you want, but is ,IMO, harder to implement, and less elegant than the cgi scheme.  One advantage it may have is scalability (since you don't have to run much code for each page - just generate a new temporary entry in the URL database) - prob why hotmail, etc like to use it.  

Cheers,
-Jon
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:jluster
ID: 7158883
The way most websites that sport "dynamic" URLs do it is simple: create a .htaccess rewrite rule on the fly and make sure the destination checks for some validity of this dynamically created rewrite. In a similar scenario, here's how I did it:

Upon authentication, the user's IP and username go into a database field. Via a simple SHA1 addition, I add the two together, add a semi-volatile key (refresh=30 seconds), a "secret" key only the system should know (it's not very secret information, but it helps to keep it safe) and a constantly incrementing ID.

So here's the whole list:

sha1(IP,sha1(username,sha1(key,sha1(seed))))

Now, I rewrite the .htaccess rule. mod_rewrite does the rest of the magic:

RewriteRule ^/inbox/{sha1result} http://{non_routed_ip}/{user}/inbox [P]

Since the backend server IP is non-routed, it is not accessible from the outside, to make doubel sure, I also ensured that all non-routed IPs are blocked on all equipment that seperates the DMZ in which the frontend is located from the backend except for the frontend servers.

My next step was to have the inbox file actually verify those keys:

The semi-volatile key will change, so I have to hand it down to the backend - via a database object referencing the user, the key and a unix timestamp to expire the session in time. The inbox knows both the user and the key, gets the IP from the frontend server seperately for all requests (a hacked mod_rewrite that sets this information in [P] requests as a HTTP header) and the incremented IP.

Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set. Since that's all HTTPS it's a bit complicated to obtain this information, provided the user's ${HOME} is safe. If he comes from a different IP, the hash does not match and he gets thrown out anyways.

This is the most common method and usually less server load intensive than session-ID based rewriting of the request string.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7158949
> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.

In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
0
 
LVL 1

Expert Comment

by:jluster
ID: 7159739
>> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.
> In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.

No, why? Different cookies at login time, different incremental,
0
 

Expert Comment

by:SpideyMod
ID: 8279125
All,
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8334681
PAQ'd

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 8339372
Spidey - please consider my permanent recommendation in dead questions to which I have contributed to be a pt split amongst all experts attempting to seriously resolve the problem.  No reason to destroy pts, since I doubt the asker gets them back (to which I am opposed, in any case), and some of us need to support our EE Pro habit hehe

If you're going to finalize a question, just assume I recommeded a pts split as explained above - if I want all the pts I will say so.

Sorry for the blanket statement, but I often don't get a chance to look over all the dead posts before they are finalized.

Cheers,
-Jon


0
 

Expert Comment

by:SpideyMod
ID: 8341846
Jon,
In short, I cannot accept your wishes.  If you want any points for these dead questions, you are required to speak up just like everybody else.

The long form:

Many others would disagree with you, so I cannot accept a blanket statement from a single person.  Besides, am I supposed to maintain a list of all the people who want points on every question they commented on while going through cleanup?  My job is laborious enough without needing to check another list.  However, if you'd like, the Expert Input area is where you can suggest and possibly effect change.  The Experts Advisory board checks there and they represent all experts on this site. It is at: http://www.experts-exchange.com/Community_Support/Expert_Input/


A couple of challenges you will face are:
1) Some experts do not add value to the question
2) There is a minimum oof 20 points per person
3) This severely increases the time a moderator spends handling a question
4) I have been a moderator since the beginning of January this year.  In that time, I've created about 150 "points for" questions.  I still have 50 of them outstanding.  That means 1/3 of the time, I will be creating these questions that nobody will pick up and will eventually have to clean those ones up as well.
5) All experts are given an opportunity to claim points within a reasonable amount of time prior to cleanup.  If they are important to you, then state you think you should get them.  It doesn't mean you will, but you've spoken up and increased your chances.
6) Some questions and answers are just not worth anything.
7) An auto-grade and "one-size-fits-all" approach has already been taken with respect to questions in EEs history.  They were considered miserable failures by a vast majority of everybody (Admins, Mods, Experts, Execs, and even questioners).

My apologies if this is not to your liking, but it's the only way I know you can make this sort of change happen.

Best wishes.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8342338
3) I don't know how often I asked for a automatic script to handle "open" or dangling questions, IMHO it's wasting of time clicking through question which seem to be abandoned, which can be done by a simple SQL select piped to mail send to the question's author
  echo "SELECT q.title,q.qid,q.author FROM q WHERE q.status=open AND q.lastaccess=>'last month'"|mail -s"please finalize" q.author
and above in a cron, think you all know what I mean ;-)

5) hmm "within a week" the opportunity to claim points ..
   think this is not realy practical for some experts
6) agreed, it would be nice to have some of them canceled right at the start of the thread if you/we get the impression that they are useless (like homeworks, or request for onlines wher others filed book with the answer).
7) auto-grading have been removed from EE, IMHO a good decision 'cause it may have been used for feeding "friends" with points

0
 

Expert Comment

by:SpideyMod
ID: 8343047
ahoffmann,
Thanks for the feedback.

3) Yes, we know what you mean.  However, you've seen the results of several cleanup lists.  How many questioners respond to the cleanup pings?  From my experience it is less than 1% and I've handled some 10k+ questions since I've been a mod.  IMO it won't be fruitful enough.  Now, perhaps catching them with a message after only a month has gone by might produce slightly better results, but not much.  If they won't respond to the experts helping them, why would they respond to an automated message?  As a moderator, I don't even get 50% of the people to respond to me after the first day on issues like homework.

5) You're right, it might not be practical for some experts, but what number is?  Some only log on once or twice a month, some less frequently than that. Personally, I feel a week is reasonable as it allows those that work during the week to visit on the weekend and they always get an email notification.  I can count on 1 hand the number of times I've had someone complain that a week wasn't enough and they wanted the points.  Twice and in both cases, I issued the points.  Both times, they indicated that they ignored the email or didn't know what the cleanup process was all about.  I don't think that kind of record indicates we should change it, but that's not my call one way or another and perhaps an Expert Input thread would change the week threshold.

7) You point out 1 scenario on auto-grading.  I spent the better part of 4 days cleaning all the locked Qs on the technical side of the site and if you're interested in seeing some of the other problems I found with things like tha answer capabilities which could also apply to auto-grading, feel free to look in here:http://www.experts-exchange.com/Community_Support/Feedback/Q_20573696.html

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now