restricting access of a URL to a particular company

 My company will allow some of our customers to show pages from our web site from their corporate site.

 So, their company site will call a URL we set up for them that may look something like this...

 where ACME is the name of the company that is calling the page from the web site.

 Using this method, I know who the company is (ACME) and can show them their customized list of "best wines"

 My question is about security.  How do I ensure that someone does not take this link and use it on another web site?

 What's to prevent anyone from using this same URL from anywhere?  

 If figure anything that I add to the URL, like an ID or Hash would also be copied, so it still doesn't help.

 I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution.  

LVL 39
Who is Participating?
to restrict access of a section of the website to only certain individuals or companies you may want to grant permissions on your server so that only users from a given IP address, that IP coming from the 3rd party companies server will be granted access to a given directory.

Lets say you are company A serving to company B which should have access to

an you are the user going through CompanyB to view that site

well setting up access control to that directory (../CompanyB) such that it will only allow access to that page for requests coming through CompanyB's server. Everyone else not going through CompanyB's server, will not have access to that directory, nor any sub-directories or files under that directory. This only requires you keep track of a limited number of IP's based on the number of companies you're supporting.

You would be setting this ACL (access control list) in your IIS or whatever you're using...
This would not be handled in the code...
You have options:
1) cgi.remote_addr:
      - Check this value, if it is in the list of valid IP addresses for the company, then good
2) setup a login-page:
    - ask for a company ID (that of course only they know)
    - get user name and password
    - verify and let in if all pass your tests
3) Generate a report of their best wines, great a pdf and email it to them on a set schedule (once a week, every 3 hours, etc)
gdemariaAuthor Commented:

 thanks DAjed, I appreciate your response.  

1) Isn't the IP address in REMOTE_ADDR that of the user?   If so, there is no way for me to determine and manage all the IP addresses of the various people who may visit thier web site.

2) The list of best wines is not something that the companies will have behind a password.  I want to ensure that only ACME company shows the list on their site and no other company is showing it.  They pay for the priviledge of us managing and displaying these pages.   However, the company does not have to ask their user community to login to see it.

3)  The "best wines" scenario is a simplied representation of the site;  the actual data is far more complex and supports things like searching, calculations and more that cannot be done in a static view.

Perhaps an analogy of this would be something like a news feed, stock reports, or weather conditions.  Web sites pay the provider of this information to display it on thier site.  If I cut and paste the weather code out of their home page and try to run it on my home page, would it work?
(the main difference between that and my case is that I have many large pages, not a small page insert like a stock graph that would run from javascript)

Thanks !

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

this solves the question... "How do I ensure that someone does not take this link and use it on another web site?"

if the request isn't coming from company B's webserver, IIS should be setup to restrict access then to anyone else. This means that I could not then copy the link and use it on my website because that directory is restricted to company B's webserver only.
using the .htaccess you may be able to accomplish this task (for Apache)...

here's an example...
gdemariaAuthor Commented:

 Hi Trail,

 Thanks for all that good information.

 I'm curious which IP address would my IIS receive if a user is browsing CompanyB's web site and Company B uses a hidden iFrame or a simple link to display pages from our (Company A's) server.  Wouldn't the IP address IIS gets be that of the user not of Company B?

 My preference would be a software approach, simply because the task of setting up a new company (Company D, E, etc) is entirely automated and I would prefer not to have to configure IIS every time we get a new client.   We also have hundreds of clients, doing it in IIS may be a bit much perhaps?  Not sure..

 Thanks again for putting so much thought into it
With a 3rd party software you're still going to have to configure something for each company I think, especially when initializing it and adding the companies you currently support, if any yet if this is something new... not 100% sure, I guess it depends on the software. I don't know of any off-hand that would do this automatically, although that's definitely not to say there isn't. With IIS it may be a task of getting all your currently supported companies in there, even if you purchase something, you'll still have to update it with the companies you currently support.

With hidden iFrames, they are still located on Company B's server. If a user is browsing company B's site, which is communicating with yours, they are still the middle man. The request still hits company B first coming from the user, which is then requesting from your server. May have to test everything to be 100% sure, however I'm pretty sure company B would still be the middle man.

As far as automation, I'm not sure what software would automate the process of access control to your webserver, and in the case of Company B using an iFrame which is pulling from your server, it'd still have the same issue as configuration through IIS, however I don't think there'll be a problem there. A simple test should clarify that pretty quick.

If you test post your results, it'd be good info for future users reading...
I don't think there's any way to do this (elegantly, at least) without requiring server-side programming on the customer's server.  That is, you can require a id or hash in the url, but on the customer's site they would need to call the url from the server using cfhttp (or whatever equivalent they have available) to print the results to a page that hides the url from users.  What you are essentially providing is a web service.  Ideally you would provide the data as xml and allow the customer to display it any way they like.  Of course to make it as simple for your customers as possible, you would want to provide templates in a variety of programming languages (coldfusion, php, etc) that would do the work for them.

I hope that helps!
- David
gdemariaAuthor Commented:

 Hi Trail,  When I said software, I was actually thinking coldfusion coding.  As in checking some type of authentication or something.

 Perhaps I could embed some javascript into the page that ensure its being run on a particular domain? ... but then again, would the domain still be my company since it is actually being run there :)

 Or an authentication key based on time stamp, but I don't want the client customer to have to do any coding (as in generating the hash and passing it to me).

 David may be right, no easy way...

 David, there's no way that I can supply data to the customer and ask them to code.  The application is far to complex, its part of our bread and butter to keep the data to ourselves and present it in the way we do.  (Its far more than the "best wines" I indicated in the question).

I understand what you're saying -- it's a full application, not as simple as a news feed.  The only really secure solution would be to provide your client with a script that authenticates the client and does the appropriate http gets and posts to access the application on your server.  Other than that, you're relying on javascript (you might be able to check top.location.href to make sure it is within a frame that is hosted by an authorized client), or on the http_referrer, both of which rely too much on the client browser to be truly effective.

Good luck!
- David
You mentioned that "I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution."  

I've never noticed it not populated, but supposing that it isn't, is it always populated when coming from your clients?  If so, you can still use it, and if it isn't populated sometimes, don't show the info.  

I think that is your best bet, given that you don't want to simply provide a webservice for them (where you could request authenitcation).  But, even that can be spoofed.

substand, I'm not sure what you mean when you say that a web service can be "spoofed".  If a webservice is accessed via https, then it is pretty darn secure.

The only thing I would note about this is that even if the content is passed securely to the client, it is then only as secure as your client's website :-)

That said, I agree that to keep the honest people honest, checking the referrer *should* work.  The problem is that it depends on the browser to send the referrer properly, and it would be very easy for someone to forge the referrer header on their request.

- David
gdemariaAuthor Commented:

 Thanks substand,
 I set up a little test to save the CGI.referrer for each vistor accessing our site (accessing our site through our hosting clients).   We do currently have a bunch of hosting sites set up without security.

 My logs show that the CGI.referrer is inconsistent.  Sometimes it's blank.   I see two reasons for this

 1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer.  

 2) I did some research on this and read that the referrer is not always supported by some web servers.  This was very surprising to me, but I did see a blank referrer by some companies that have our page in a frame.  So I am not sure how this happens but it appears to.

gdemariaAuthor Commented:

 My latest thinking is that I've been looking at how embeded javascript such as google ads and livehelp and the weather, news, etc are all working.  I grabbed a couple of these from other sites and placed them on mine for a quick test and of course, they did not work.

 I am wondering if I can take the technology they are using and apply it to my situation.

 Perhaps I can give them a block of javascript code that will create an iFrame sourcing my web site.  The javascript code would exist on my server and somehow check who they are (the same way Good Ads and LiveHelp does).  

 If the hosting company is using frames (and doesn't want the iFrame approach) perhaps I can have them place some other javascript in their frame, something that I can test for in the parent.window dom again using javascript.  Of course it seems this might be able to be stripped out by a savvy user.

 Thoughts?    Again, all input is very much appreciated :)

I didn't mean the webservice could be spoofed... I meant that to refer to the referrer.  Sorry for the confusion.


You said "1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer."

I was thinking you only wanted to show it when linked to from their site, or embedded in a frame, or whatever.  In that case, they should always be sending the referrer.  Yes, if someone bookmarked it, then it wouldn't show... but I thought that was precisely your point.  Sorry if I misunderstood.

You also mentioned something about google ads -  In my experience, wherever I place them they work ... so I'm not sure what you're getting at there.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.