URL encryption

I am setting up an ecommerce site and i would like to encrypt the URLs so that users cannot guess the URL of my purchase order forms.

Can anybody tell me a way to do this?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

URL is always public. Dot.
You may use some kind of redirection on your server, either with URL-redirection, or with a CGI.

Or use protected website.
trigabertAuthor Commented:
But, in hotmail for example you cannot guess the URL of your inbox folder and type it in to go straight there.  How did they do this.  Symbols come up, is there a way of doing this.  I think thee are algorithms or something

Thank you
of corse you may generate random URLs, which use static files being deleted after a timeout.
But this is still a valid, not encrypted, URL.
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

Tim HolmanCommented:
Using the Hotmail example...

1)  You login
2)  You are redirected to a temporary URL containing your Inbox

This URL is then valid (as long as your login hasn't timed out) to get to your Inbox.

Sounds like you need to setup some form of authentication, so users can only get to these forms if they login.
There are many systems that non-guessible temporary URL's.

One example is the one you cited, hotmail.  The other is something like BroadVision or MicroStrategy which use dynamic content (jsp's, cgi's, etc.) and a sessionid=<blah> type semantic in the URL.

Exatly how you want to do this depends on exactly what the underlying technology is.

The salient point, however, is that you need a strong random number generator to generate the randomness.
trigabertAuthor Commented:
how do I do this.  I am using an Apache web server with SSL to encrypt the channel.  How do I get a strong random number generator to generate the randomness
Thank you
If you're on Linux or BSD, you've got /dev/random, which you can use as a seed to drand48().

If you're on another platform that doesn't have /dev/random, it's a little harder, though those functions with seeded with a few things like the user-id, the time of day, etc. is probably fine.
trig - Just use some dynamic content generator (cgi is great for this - just be sure to use the POST method, as the GET method causes the form datqa to be part of the URL) for the pages you don't want folks to be able to access directly.

Example:  A simple script that directs users to a specific personal portion of the website - just make a cgi called mypages.cgi (or whatever you want to call it), make the users enter some sort of specific identifying info on the page (and shove a cookie at them if your content isn't required to be ultra-secure).  If you want multiple pages to behave this way, make your cgi generate them all, using the cookie as reference.

A scheme involving a unique-ID URL that expires quickly (like chris is talking about) will do what you want, but is ,IMO, harder to implement, and less elegant than the cgi scheme.  One advantage it may have is scalability (since you don't have to run much code for each page - just generate a new temporary entry in the URL database) - prob why hotmail, etc like to use it.  

The way most websites that sport "dynamic" URLs do it is simple: create a .htaccess rewrite rule on the fly and make sure the destination checks for some validity of this dynamically created rewrite. In a similar scenario, here's how I did it:

Upon authentication, the user's IP and username go into a database field. Via a simple SHA1 addition, I add the two together, add a semi-volatile key (refresh=30 seconds), a "secret" key only the system should know (it's not very secret information, but it helps to keep it safe) and a constantly incrementing ID.

So here's the whole list:


Now, I rewrite the .htaccess rule. mod_rewrite does the rest of the magic:

RewriteRule ^/inbox/{sha1result} http://{non_routed_ip}/{user}/inbox [P]

Since the backend server IP is non-routed, it is not accessible from the outside, to make doubel sure, I also ensured that all non-routed IPs are blocked on all equipment that seperates the DMZ in which the frontend is located from the backend except for the frontend servers.

My next step was to have the inbox file actually verify those keys:

The semi-volatile key will change, so I have to hand it down to the backend - via a database object referencing the user, the key and a unix timestamp to expire the session in time. The inbox knows both the user and the key, gets the IP from the frontend server seperately for all requests (a hacked mod_rewrite that sets this information in [P] requests as a HTTP header) and the incremented IP.

Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set. Since that's all HTTPS it's a bit complicated to obtain this information, provided the user's ${HOME} is safe. If he comes from a different IP, the hash does not match and he gets thrown out anyways.

This is the most common method and usually less server load intensive than session-ID based rewriting of the request string.
> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.

In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.
>> Should someone else from the same IP try to access the INBOX, he will fail based on the cookies we set.
> In other words: from every NATted network (with probably millions of users behind), you only accept one, the first one.

No, why? Different cookies at login time, different incremental,
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

Community Support Moderator @Experts Exchange

Community Support Moderator @Experts Exchange

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Spidey - please consider my permanent recommendation in dead questions to which I have contributed to be a pt split amongst all experts attempting to seriously resolve the problem.  No reason to destroy pts, since I doubt the asker gets them back (to which I am opposed, in any case), and some of us need to support our EE Pro habit hehe

If you're going to finalize a question, just assume I recommeded a pts split as explained above - if I want all the pts I will say so.

Sorry for the blanket statement, but I often don't get a chance to look over all the dead posts before they are finalized.


In short, I cannot accept your wishes.  If you want any points for these dead questions, you are required to speak up just like everybody else.

The long form:

Many others would disagree with you, so I cannot accept a blanket statement from a single person.  Besides, am I supposed to maintain a list of all the people who want points on every question they commented on while going through cleanup?  My job is laborious enough without needing to check another list.  However, if you'd like, the Expert Input area is where you can suggest and possibly effect change.  The Experts Advisory board checks there and they represent all experts on this site. It is at: http://www.experts-exchange.com/Community_Support/Expert_Input/

A couple of challenges you will face are:
1) Some experts do not add value to the question
2) There is a minimum oof 20 points per person
3) This severely increases the time a moderator spends handling a question
4) I have been a moderator since the beginning of January this year.  In that time, I've created about 150 "points for" questions.  I still have 50 of them outstanding.  That means 1/3 of the time, I will be creating these questions that nobody will pick up and will eventually have to clean those ones up as well.
5) All experts are given an opportunity to claim points within a reasonable amount of time prior to cleanup.  If they are important to you, then state you think you should get them.  It doesn't mean you will, but you've spoken up and increased your chances.
6) Some questions and answers are just not worth anything.
7) An auto-grade and "one-size-fits-all" approach has already been taken with respect to questions in EEs history.  They were considered miserable failures by a vast majority of everybody (Admins, Mods, Experts, Execs, and even questioners).

My apologies if this is not to your liking, but it's the only way I know you can make this sort of change happen.

Best wishes.

Community Support Moderator @Experts Exchange
3) I don't know how often I asked for a automatic script to handle "open" or dangling questions, IMHO it's wasting of time clicking through question which seem to be abandoned, which can be done by a simple SQL select piped to mail send to the question's author
  echo "SELECT q.title,q.qid,q.author FROM q WHERE q.status=open AND q.lastaccess=>'last month'"|mail -s"please finalize" q.author
and above in a cron, think you all know what I mean ;-)

5) hmm "within a week" the opportunity to claim points ..
   think this is not realy practical for some experts
6) agreed, it would be nice to have some of them canceled right at the start of the thread if you/we get the impression that they are useless (like homeworks, or request for onlines wher others filed book with the answer).
7) auto-grading have been removed from EE, IMHO a good decision 'cause it may have been used for feeding "friends" with points

Thanks for the feedback.

3) Yes, we know what you mean.  However, you've seen the results of several cleanup lists.  How many questioners respond to the cleanup pings?  From my experience it is less than 1% and I've handled some 10k+ questions since I've been a mod.  IMO it won't be fruitful enough.  Now, perhaps catching them with a message after only a month has gone by might produce slightly better results, but not much.  If they won't respond to the experts helping them, why would they respond to an automated message?  As a moderator, I don't even get 50% of the people to respond to me after the first day on issues like homework.

5) You're right, it might not be practical for some experts, but what number is?  Some only log on once or twice a month, some less frequently than that. Personally, I feel a week is reasonable as it allows those that work during the week to visit on the weekend and they always get an email notification.  I can count on 1 hand the number of times I've had someone complain that a week wasn't enough and they wanted the points.  Twice and in both cases, I issued the points.  Both times, they indicated that they ignored the email or didn't know what the cleanup process was all about.  I don't think that kind of record indicates we should change it, but that's not my call one way or another and perhaps an Expert Input thread would change the week threshold.

7) You point out 1 scenario on auto-grading.  I spent the better part of 4 days cleaning all the locked Qs on the technical side of the site and if you're interested in seeing some of the other problems I found with things like tha answer capabilities which could also apply to auto-grading, feel free to look in here:http://www.experts-exchange.com/Community_Support/Feedback/Q_20573696.html

Community Support Moderator @Experts Exchange
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.