trigabert
asked on
URL encryption
I am setting up an ecommerce site and i would like to encrypt the URLs so that users cannot guess the URL of my purchase order forms.
Can anybody tell me a way to do this?
Thanks
Trig
Can anybody tell me a way to do this?
Thanks
Trig
ASKER
But, in hotmail for example you cannot guess the URL of your inbox folder and type it in to go straight there. How did they do this. Symbols come up, is there a way of doing this. I think thee are algorithms or something
Thank you
trig
Thank you
trig
of corse you may generate random URLs, which use static files being deleted after a timeout.
But this is still a valid, not encrypted, URL.
But this is still a valid, not encrypted, URL.
Using the Hotmail example...
1) You login
2) You are redirected to a temporary URL containing your Inbox
This URL is then valid (as long as your login hasn't timed out) to get to your Inbox.
Sounds like you need to setup some form of authentication, so users can only get to these forms if they login.
1) You login
2) You are redirected to a temporary URL containing your Inbox
This URL is then valid (as long as your login hasn't timed out) to get to your Inbox.
Sounds like you need to setup some form of authentication, so users can only get to these forms if they login.
There are many systems that non-guessible temporary URL's.
One example is the one you cited, hotmail. The other is something like BroadVision or MicroStrategy which use dynamic content (jsp's, cgi's, etc.) and a sessionid=<blah> type semantic in the URL.
Exatly how you want to do this depends on exactly what the underlying technology is.
The salient point, however, is that you need a strong random number generator to generate the randomness.
One example is the one you cited, hotmail. The other is something like BroadVision or MicroStrategy which use dynamic content (jsp's, cgi's, etc.) and a sessionid=<blah> type semantic in the URL.
Exatly how you want to do this depends on exactly what the underlying technology is.
The salient point, however, is that you need a strong random number generator to generate the randomness.
ASKER
how do I do this. I am using an Apache web server with SSL to encrypt the channel. How do I get a strong random number generator to generate the randomness
Thank you
Trig
Thank you
Trig
If you're on Linux or BSD, you've got /dev/random, which you can use as a seed to drand48().
If you're on another platform that doesn't have /dev/random, it's a little harder, though those functions with seeded with a few things like the user-id, the time of day, etc. is probably fine.
If you're on another platform that doesn't have /dev/random, it's a little harder, though those functions with seeded with a few things like the user-id, the time of day, etc. is probably fine.
trig - Just use some dynamic content generator (cgi is great for this - just be sure to use the POST method, as the GET method causes the form datqa to be part of the URL) for the pages you don't want folks to be able to access directly.
Example: A simple script that directs users to a specific personal portion of the website - just make a cgi called mypages.cgi (or whatever you want to call it), make the users enter some sort of specific identifying info on the page (and shove a cookie at them if your content isn't required to be ultra-secure). If you want multiple pages to behave this way, make your cgi generate them all, using the cookie as reference.
A scheme involving a unique-ID URL that expires quickly (like chris is talking about) will do what you want, but is ,IMO, harder to implement, and less elegant than the cgi scheme. One advantage it may have is scalability (since you don't have to run much code for each page - just generate a new temporary entry in the URL database) - prob why hotmail, etc like to use it.
Cheers,
-Jon
Example: A simple script that directs users to a specific personal portion of the website - just make a cgi called mypages.cgi (or whatever you want to call it), make the users enter some sort of specific identifying info on the page (and shove a cookie at them if your content isn't required to be ultra-secure). If you want multiple pages to behave this way, make your cgi generate them all, using the cookie as reference.
A scheme involving a unique-ID URL that expires quickly (like chris is talking about) will do what you want, but is ,IMO, harder to implement, and less elegant than the cgi scheme. One advantage it may have is scalability (since you don't have to run much code for each page - just generate a new temporary entry in the URL database) - prob why hotmail, etc like to use it.
Cheers,
-Jon
The way most websites that sport "dynamic" URLs do it is simple: create a .htaccess rewrite rule on the fly and make sure the destination checks for some validity of this dynamically created rewrite. In a similar scenario, here's how I did it:
Upon authentication, the user's IP and username go into a database field. Via a simple SHA1 addition, I add the two together, add a semi-volatile key (refresh=30 seconds), a "secret" key only the system should know (it's not very secret information, but it helps to keep it safe) and a constantly incrementing ID.
So here's the whole list:
sha1(IP,sha1(username,sha1
Now, I rewrite the .htaccess rule. mod_rewrite does the rest of the magic:
RewriteRule ^/inbox/{sha1result} http://{non_routed_ip}/{user}/inb
Since the backend server IP is non-routed, it is not accessible from the outside, to make doubel sure, I also ensured that all non-routed IPs are blocked on all equipment that seperates the DMZ in which the frontend is located from the backend except for the frontend servers.
My next step was to have the inbox file actually verify those keys:
The semi-volatile key will change, so I have to hand it down to the backend - via a database object referencing the user, the key and a unix timestamp to expire the session in time. The inbox knows both the user and the key, gets the IP from the frontend server seperately for all requests (a hacked mod_rewrite that sets this information in [P] requests as a HTTP header) and the incremented IP.
Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set. Since that's all HTTPS it's a bit complicated to obtain this information, provided the user's ${HOME} is safe. If he comes from a different IP, the hash does not match and he gets thrown out anyways.
This is the most common method and usually less server load intensive than session-ID based rewriting of the request string.
Upon authentication, the user's IP and username go into a database field. Via a simple SHA1 addition, I add the two together, add a semi-volatile key (refresh=30 seconds), a "secret" key only the system should know (it's not very secret information, but it helps to keep it safe) and a constantly incrementing ID.
So here's the whole list:
sha1(IP,sha1(username,sha1
Now, I rewrite the .htaccess rule. mod_rewrite does the rest of the magic:
RewriteRule ^/inbox/{sha1result} http://{non_routed_ip}/{user}/inb
Since the backend server IP is non-routed, it is not accessible from the outside, to make doubel sure, I also ensured that all non-routed IPs are blocked on all equipment that seperates the DMZ in which the frontend is located from the backend except for the frontend servers.
My next step was to have the inbox file actually verify those keys:
The semi-volatile key will change, so I have to hand it down to the backend - via a database object referencing the user, the key and a unix timestamp to expire the session in time. The inbox knows both the user and the key, gets the IP from the frontend server seperately for all requests (a hacked mod_rewrite that sets this information in [P] requests as a HTTP header) and the incremented IP.
Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set. Since that's all HTTPS it's a bit complicated to obtain this information, provided the user's ${HOME} is safe. If he comes from a different IP, the hash does not match and he gets thrown out anyways.
This is the most common method and usually less server load intensive than session-ID based rewriting of the request string.
> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.
In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
>> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.
> In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
No, why? Different cookies at login time, different incremental,
> In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
No, why? Different cookies at login time, different incremental,
All,
I am unlocking this question in preparation for cleanup. I will return in 7 days to finalize this question. Please leave any recommendations for the final state of this question, I will take all recommendations into consideration. Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund. Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
I am unlocking this question in preparation for cleanup. I will return in 7 days to finalize this question. Please leave any recommendations for the final state of this question, I will take all recommendations into consideration. Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund. Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Spidey - please consider my permanent recommendation in dead questions to which I have contributed to be a pt split amongst all experts attempting to seriously resolve the problem. No reason to destroy pts, since I doubt the asker gets them back (to which I am opposed, in any case), and some of us need to support our EE Pro habit hehe
If you're going to finalize a question, just assume I recommeded a pts split as explained above - if I want all the pts I will say so.
Sorry for the blanket statement, but I often don't get a chance to look over all the dead posts before they are finalized.
Cheers,
-Jon
If you're going to finalize a question, just assume I recommeded a pts split as explained above - if I want all the pts I will say so.
Sorry for the blanket statement, but I often don't get a chance to look over all the dead posts before they are finalized.
Cheers,
-Jon
Jon,
In short, I cannot accept your wishes. If you want any points for these dead questions, you are required to speak up just like everybody else.
The long form:
Many others would disagree with you, so I cannot accept a blanket statement from a single person. Besides, am I supposed to maintain a list of all the people who want points on every question they commented on while going through cleanup? My job is laborious enough without needing to check another list. However, if you'd like, the Expert Input area is where you can suggest and possibly effect change. The Experts Advisory board checks there and they represent all experts on this site. It is at: https://www.experts-exchange.com/Community_Support/Expert_Input/
A couple of challenges you will face are:
1) Some experts do not add value to the question
2) There is a minimum oof 20 points per person
3) This severely increases the time a moderator spends handling a question
4) I have been a moderator since the beginning of January this year. In that time, I've created about 150 "points for" questions. I still have 50 of them outstanding. That means 1/3 of the time, I will be creating these questions that nobody will pick up and will eventually have to clean those ones up as well.
5) All experts are given an opportunity to claim points within a reasonable amount of time prior to cleanup. If they are important to you, then state you think you should get them. It doesn't mean you will, but you've spoken up and increased your chances.
6) Some questions and answers are just not worth anything.
7) An auto-grade and "one-size-fits-all" approach has already been taken with respect to questions in EEs history. They were considered miserable failures by a vast majority of everybody (Admins, Mods, Experts, Execs, and even questioners).
My apologies if this is not to your liking, but it's the only way I know you can make this sort of change happen.
Best wishes.
SpideyMod
Community Support Moderator @Experts Exchange
In short, I cannot accept your wishes. If you want any points for these dead questions, you are required to speak up just like everybody else.
The long form:
Many others would disagree with you, so I cannot accept a blanket statement from a single person. Besides, am I supposed to maintain a list of all the people who want points on every question they commented on while going through cleanup? My job is laborious enough without needing to check another list. However, if you'd like, the Expert Input area is where you can suggest and possibly effect change. The Experts Advisory board checks there and they represent all experts on this site. It is at: https://www.experts-exchange.com/Community_Support/Expert_Input/
A couple of challenges you will face are:
1) Some experts do not add value to the question
2) There is a minimum oof 20 points per person
3) This severely increases the time a moderator spends handling a question
4) I have been a moderator since the beginning of January this year. In that time, I've created about 150 "points for" questions. I still have 50 of them outstanding. That means 1/3 of the time, I will be creating these questions that nobody will pick up and will eventually have to clean those ones up as well.
5) All experts are given an opportunity to claim points within a reasonable amount of time prior to cleanup. If they are important to you, then state you think you should get them. It doesn't mean you will, but you've spoken up and increased your chances.
6) Some questions and answers are just not worth anything.
7) An auto-grade and "one-size-fits-all" approach has already been taken with respect to questions in EEs history. They were considered miserable failures by a vast majority of everybody (Admins, Mods, Experts, Execs, and even questioners).
My apologies if this is not to your liking, but it's the only way I know you can make this sort of change happen.
Best wishes.
SpideyMod
Community Support Moderator @Experts Exchange
3) I don't know how often I asked for a automatic script to handle "open" or dangling questions, IMHO it's wasting of time clicking through question which seem to be abandoned, which can be done by a simple SQL select piped to mail send to the question's author
echo "SELECT q.title,q.qid,q.author FROM q WHERE q.status=open AND q.lastaccess=>'last month'"|mail -s"please finalize" q.author
and above in a cron, think you all know what I mean ;-)
5) hmm "within a week" the opportunity to claim points ..
think this is not realy practical for some experts
6) agreed, it would be nice to have some of them canceled right at the start of the thread if you/we get the impression that they are useless (like homeworks, or request for onlines wher others filed book with the answer).
7) auto-grading have been removed from EE, IMHO a good decision 'cause it may have been used for feeding "friends" with points
echo "SELECT q.title,q.qid,q.author FROM q WHERE q.status=open AND q.lastaccess=>'last month'"|mail -s"please finalize" q.author
and above in a cron, think you all know what I mean ;-)
5) hmm "within a week" the opportunity to claim points ..
think this is not realy practical for some experts
6) agreed, it would be nice to have some of them canceled right at the start of the thread if you/we get the impression that they are useless (like homeworks, or request for onlines wher others filed book with the answer).
7) auto-grading have been removed from EE, IMHO a good decision 'cause it may have been used for feeding "friends" with points
ahoffmann,
Thanks for the feedback.
3) Yes, we know what you mean. However, you've seen the results of several cleanup lists. How many questioners respond to the cleanup pings? From my experience it is less than 1% and I've handled some 10k+ questions since I've been a mod. IMO it won't be fruitful enough. Now, perhaps catching them with a message after only a month has gone by might produce slightly better results, but not much. If they won't respond to the experts helping them, why would they respond to an automated message? As a moderator, I don't even get 50% of the people to respond to me after the first day on issues like homework.
5) You're right, it might not be practical for some experts, but what number is? Some only log on once or twice a month, some less frequently than that. Personally, I feel a week is reasonable as it allows those that work during the week to visit on the weekend and they always get an email notification. I can count on 1 hand the number of times I've had someone complain that a week wasn't enough and they wanted the points. Twice and in both cases, I issued the points. Both times, they indicated that they ignored the email or didn't know what the cleanup process was all about. I don't think that kind of record indicates we should change it, but that's not my call one way or another and perhaps an Expert Input thread would change the week threshold.
7) You point out 1 scenario on auto-grading. I spent the better part of 4 days cleaning all the locked Qs on the technical side of the site and if you're interested in seeing some of the other problems I found with things like tha answer capabilities which could also apply to auto-grading, feel free to look in here:https://www.experts-exchange.com/questions/20573696/Experiment-status.html
SpideyMod
Community Support Moderator @Experts Exchange
Thanks for the feedback.
3) Yes, we know what you mean. However, you've seen the results of several cleanup lists. How many questioners respond to the cleanup pings? From my experience it is less than 1% and I've handled some 10k+ questions since I've been a mod. IMO it won't be fruitful enough. Now, perhaps catching them with a message after only a month has gone by might produce slightly better results, but not much. If they won't respond to the experts helping them, why would they respond to an automated message? As a moderator, I don't even get 50% of the people to respond to me after the first day on issues like homework.
5) You're right, it might not be practical for some experts, but what number is? Some only log on once or twice a month, some less frequently than that. Personally, I feel a week is reasonable as it allows those that work during the week to visit on the weekend and they always get an email notification. I can count on 1 hand the number of times I've had someone complain that a week wasn't enough and they wanted the points. Twice and in both cases, I issued the points. Both times, they indicated that they ignored the email or didn't know what the cleanup process was all about. I don't think that kind of record indicates we should change it, but that's not my call one way or another and perhaps an Expert Input thread would change the week threshold.
7) You point out 1 scenario on auto-grading. I spent the better part of 4 days cleaning all the locked Qs on the technical side of the site and if you're interested in seeing some of the other problems I found with things like tha answer capabilities which could also apply to auto-grading, feel free to look in here:https://www.experts-exchange.com/questions/20573696/Experiment-status.html
SpideyMod
Community Support Moderator @Experts Exchange
You may use some kind of redirection on your server, either with URL-redirection, or with a CGI.
Or use protected website.