Solved

restricting access of a URL to a particular company

Posted on 2006-11-16
16
285 Views
Last Modified: 2013-12-24

 My company will allow some of our customers to show pages from our web site from their corporate site.

 So, their company site will call a URL we set up for them that may look something like this...

 www.ourwebsite.com/ACME/bestWines.cfm

 where ACME is the name of the company that is calling the page from the acme.com web site.

 Using this method, I know who the company is (ACME) and can show them their customized list of "best wines"

 
 My question is about security.  How do I ensure that someone does not take this link and use it on another web site?

 What's to prevent anyone from using this same URL from anywhere?  

 If figure anything that I add to the URL, like an ID or Hash would also be copied, so it still doesn't help.

 I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution.  

 Suggestions?
 Thanks!!
0
Comment
Question by:gdemaria
  • 5
  • 5
  • 3
  • +2
16 Comments
 
LVL 1

Expert Comment

by:DAJED
ID: 17958702
You have options:
1) cgi.remote_addr:
      - Check this value, if it is in the list of valid IP addresses for the company, then good
2) setup a login-page:
    - ask for a company ID (that of course only they know)
    - get user name and password
    - verify and let in if all pass your tests
3) Generate a report of their best wines, great a pdf and email it to them on a set schedule (once a week, every 3 hours, etc)
0
 
LVL 39

Author Comment

by:gdemaria
ID: 17959706

 thanks DAjed, I appreciate your response.  

1) Isn't the IP address in REMOTE_ADDR that of the user?   If so, there is no way for me to determine and manage all the IP addresses of the various people who may visit thier web site.

2) The list of best wines is not something that the companies will have behind a password.  I want to ensure that only ACME company shows the list on their site and no other company is showing it.  They pay for the priviledge of us managing and displaying these pages.   However, the company does not have to ask their user community to login to see it.

3)  The "best wines" scenario is a simplied representation of the site;  the actual data is far more complex and supports things like searching, calculations and more that cannot be done in a static view.


Perhaps an analogy of this would be something like a news feed, stock reports, or weather conditions.  Web sites pay the provider of this information to display it on thier site.  If I cut and paste the weather code out of their home page and try to run it on my home page, would it work?
(the main difference between that and my case is that I have many large pages, not a small page insert like a stock graph that would run from javascript)

Thanks !

0
 
LVL 20

Accepted Solution

by:
trailblazzyr55 earned 300 total points
ID: 17960097
to restrict access of a section of the website to only certain individuals or companies you may want to grant permissions on your server so that only users from a given IP address, that IP coming from the 3rd party companies server will be granted access to a given directory.

Lets say you are company A serving to company B which should have access to

www.CompanyA.com/CompanyB/bestWines.cfm

an you are the user going through CompanyB to view that site

well setting up access control to that directory (../CompanyB) such that it will only allow access to that page for requests coming through CompanyB's server. Everyone else not going through CompanyB's server, will not have access to that directory, nor any sub-directories or files under that directory. This only requires you keep track of a limited number of IP's based on the number of companies you're supporting.

You would be setting this ACL (access control list) in your IIS or whatever you're using...
This would not be handled in the code...
0
 
LVL 20

Expert Comment

by:trailblazzyr55
ID: 17960130
this solves the question... "How do I ensure that someone does not take this link and use it on another web site?"

if the request isn't coming from company B's webserver, IIS should be setup to restrict access then to anyone else. This means that I could not then copy the link and use it on my website because that directory is restricted to company B's webserver only.
0
 
LVL 20

Expert Comment

by:trailblazzyr55
ID: 17960241
using the .htaccess you may be able to accomplish this task (for Apache)...

here's an example...

https://www.abdn.ac.uk/diss/webpack/factsheet20.shtml#section20.3
0
 
LVL 20

Assisted Solution

by:trailblazzyr55
trailblazzyr55 earned 300 total points
ID: 17960311
0
 
LVL 39

Author Comment

by:gdemaria
ID: 17960648

 Hi Trail,

 Thanks for all that good information.

 I'm curious which IP address would my IIS receive if a user is browsing CompanyB's web site and Company B uses a hidden iFrame or a simple link to display pages from our (Company A's) server.  Wouldn't the IP address IIS gets be that of the user not of Company B?

 My preference would be a software approach, simply because the task of setting up a new company (Company D, E, etc) is entirely automated and I would prefer not to have to configure IIS every time we get a new client.   We also have hundreds of clients, doing it in IIS may be a bit much perhaps?  Not sure..

 Thanks again for putting so much thought into it
0
 
LVL 20

Expert Comment

by:trailblazzyr55
ID: 17960785
With a 3rd party software you're still going to have to configure something for each company I think, especially when initializing it and adding the companies you currently support, if any yet if this is something new... not 100% sure, I guess it depends on the software. I don't know of any off-hand that would do this automatically, although that's definitely not to say there isn't. With IIS it may be a task of getting all your currently supported companies in there, even if you purchase something, you'll still have to update it with the companies you currently support.

With hidden iFrames, they are still located on Company B's server. If a user is browsing company B's site, which is communicating with yours, they are still the middle man. The request still hits company B first coming from the user, which is then requesting from your server. May have to test everything to be 100% sure, however I'm pretty sure company B would still be the middle man.

As far as automation, I'm not sure what software would automate the process of access control to your webserver, and in the case of Company B using an iFrame which is pulling from your server, it'd still have the same issue as configuration through IIS, however I don't think there'll be a problem there. A simple test should clarify that pretty quick.

If you test post your results, it'd be good info for future users reading...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:hammond_david
ID: 17961735
I don't think there's any way to do this (elegantly, at least) without requiring server-side programming on the customer's server.  That is, you can require a id or hash in the url, but on the customer's site they would need to call the url from the server using cfhttp (or whatever equivalent they have available) to print the results to a page that hides the url from users.  What you are essentially providing is a web service.  Ideally you would provide the data as xml and allow the customer to display it any way they like.  Of course to make it as simple for your customers as possible, you would want to provide templates in a variety of programming languages (coldfusion, php, etc) that would do the work for them.

I hope that helps!
- David
0
 
LVL 39

Author Comment

by:gdemaria
ID: 17962179

 Hi Trail,  When I said software, I was actually thinking coldfusion coding.  As in checking some type of authentication or something.

 Perhaps I could embed some javascript into the page that ensure its being run on a particular domain? ... but then again, would the domain still be my company since it is actually being run there :)

 Or an authentication key based on time stamp, but I don't want the client customer to have to do any coding (as in generating the hash and passing it to me).

 David may be right, no easy way...

 David, there's no way that I can supply data to the customer and ask them to code.  The application is far to complex, its part of our bread and butter to keep the data to ourselves and present it in the way we do.  (Its far more than the "best wines" I indicated in the question).

0
 
LVL 2

Expert Comment

by:hammond_david
ID: 17965729
I understand what you're saying -- it's a full application, not as simple as a news feed.  The only really secure solution would be to provide your client with a script that authenticates the client and does the appropriate http gets and posts to access the application on your server.  Other than that, you're relying on javascript (you might be able to check top.location.href to make sure it is within a frame that is hosted by an authorized client), or on the http_referrer, both of which rely too much on the client browser to be truly effective.

Good luck!
- David
0
 
LVL 10

Expert Comment

by:substand
ID: 17966146
You mentioned that "I do not see enough consistency with  CGI.referrer to see that it is always populated so I don't think that would be a good solution."  

I've never noticed it not populated, but supposing that it isn't, is it always populated when coming from your clients?  If so, you can still use it, and if it isn't populated sometimes, don't show the info.  

I think that is your best bet, given that you don't want to simply provide a webservice for them (where you could request authenitcation).  But, even that can be spoofed.

0
 
LVL 2

Assisted Solution

by:hammond_david
hammond_david earned 200 total points
ID: 17966422
substand, I'm not sure what you mean when you say that a web service can be "spoofed".  If a webservice is accessed via https, then it is pretty darn secure.

The only thing I would note about this is that even if the content is passed securely to the client, it is then only as secure as your client's website :-)

That said, I agree that to keep the honest people honest, checking the referrer *should* work.  The problem is that it depends on the browser to send the referrer properly, and it would be very easy for someone to forge the referrer header on their request.

- David
0
 
LVL 39

Author Comment

by:gdemaria
ID: 17966468

 Thanks substand,
 
 I set up a little test to save the CGI.referrer for each vistor accessing our site (accessing our site through our hosting clients).   We do currently have a bunch of hosting sites set up without security.

 My logs show that the CGI.referrer is inconsistent.  Sometimes it's blank.   I see two reasons for this

 1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer.  

 2) I did some research on this and read that the referrer is not always supported by some web servers.  This was very surprising to me, but I did see a blank referrer by some companies that have our page in a frame.  So I am not sure how this happens but it appears to.

 Curious..
0
 
LVL 39

Author Comment

by:gdemaria
ID: 17966540

 My latest thinking is that I've been looking at how embeded javascript such as google ads and livehelp and the weather, news, etc are all working.  I grabbed a couple of these from other sites and placed them on mine for a quick test and of course, they did not work.

 I am wondering if I can take the technology they are using and apply it to my situation.

 Perhaps I can give them a block of javascript code that will create an iFrame sourcing my web site.  The javascript code would exist on my server and somehow check who they are (the same way Good Ads and LiveHelp does).  

 If the hosting company is using frames (and doesn't want the iFrame approach) perhaps I can have them place some other javascript in their frame, something that I can test for in the parent.window dom again using javascript.  Of course it seems this might be able to be stripped out by a savvy user.

 Thoughts?    Again, all input is very much appreciated :)
0
 
LVL 10

Expert Comment

by:substand
ID: 17966596
David,

I didn't mean the webservice could be spoofed... I meant that to refer to the referrer.  Sorry for the confusion.

gdemaria:

You said "1) we have not required our hosting clients to present our pages in any particular way.  That is, we don't enforce them to show our page within an iFrame or a Frame.  They can just link to us if they want.  This may change, but that's the way it is now.  Therefore, the could be bookmarked and no referrer."

I was thinking you only wanted to show it when linked to from their site, or embedded in a frame, or whatever.  In that case, they should always be sending the referrer.  Yes, if someone bookmarked it, then it wouldn't show... but I thought that was precisely your point.  Sorry if I misunderstood.

You also mentioned something about google ads -  In my experience, wherever I place them they work ... so I'm not sure what you're getting at there.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now