[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

Securing our website

Let's start at the beginning.  A few years ago, we developed an application that was web based.  It assisted corporate customers in managing their purchasing needs.  The application has security built into it in the form of a user ID and password.  Very early in the deployment we discovered that if a user logged into the system, browsed to a document (PDF) or a data page, they could copy and paste the URL in to another browser andsee the document or data with out having to log back in. So, we purchased an application that protects each secure resource and validates that the user has a login cookie in the browser before passing the request to our application.  If the user tried to copy and paste the URL into a browser without the secure cookie, it prompts the user for credentials before displaying the information.  Very similar process for most web sites.  For instance, if I log into my checking account, view my transactions page and then try to cut and paste the transaction page URL into another browser, my bank login page appears not my transaction page.

So now, to the problem, the product we currently use is very expensive and for very large customer it becomes cost prohibitive.  The data we are securing is not national security stuff, no Credit Card numbers, no Social Security Numbers, not personal information, just data about what that company buys and what it pays for the products.  It certainly is confidential, but doesn't need this level of security.  So how can I prevent the security problem above without costing an arm and a leg?
1 Solution
Well, if a user can simply access secure data by entering URL, that's a really big programming flaw. Recently I've been programming web application that restrict access. It's rather simple. If you use say, PHP you can use SESSIONS. When user log's into your web page you write a session in the cookie.
If you're a programmer i suggest you to implement this. So in you're code there is a simple if. Like this:
in the variable user, you can write the hash code of his password, and some secret key so it's hard to guess the content of your cookie.
So if you paste the code, and this if clause is not met, bye bye unauthorized user :)

If you are using Apache, use .htaccess protection.  You can either secure a directory (if you want to place all of your documents that you want secured into one or several directories) or you could simply secure particular extensions (like .pdf) and allow different usernames/passwords by creating a .htpasswd file.
Make sure to also deny access to this .htpasswd file and place it outside of your website's root directory.
I agree with zstapic.

What you have just described is a complete lapse in proper coding standards, as testing in your companies developers and testing team.

The fact that it was approved to go online with such issues already shows there's something wrong with your software development life cycle.

I believe this is an issue with your development life cycle, and the problem should not be fixed by purchasing another product to cover it up.

To fix the problem I have a few suggestions:

1. Build staff competancies

Send your developers for some training in developing web applications (most course now a days have a few dedicated modules to security). Better still, if you can send them for courses on developing "SECURE" web applications.

Also, send them for course on security and the software development life cycle.

Hire project managers that are aware of the secure development life cycle.

Some references:

2. Building up the competancies of your developers takes time. So, you'll need tools that are able to test your application and verify it's correctness. Tools such as static code analyzers come to mind, there are many good ones out there. I recommend (and have personally used):


They have automated code analysis and unit testing which actually test your applications as if you were running. The draw back is they do *almost* cost an arm and a leg.

But, you'll need to invest *some* money into IT security. Expertise does not just fall from the sky and onto your lap.

Hope that helps
Agreed.  The use of sessions is what you need (and indeed what should have been in place from the start).  There's a good rundown of some of the methods of session management at http://www.technicalinfo.net/papers/WebBasedSessionManagement.html.

Of course, you'll need to learn how to implement sessions in the language used by your application.  There's also good information at OWASP http://www.owasp.org/index.php/Session_Management
Just make sure to read that OWASP link and not just implement isset($_SESSION as mentioned as a base/start example above.  Session hijacking is actually a fairly common practice among attackers, especially when someone can eavesdrop on your network connection in some way.  
Some think that implementing secure protocols for your web traffic (ie SSL/TLS, SFTP, etc.) would protect you against that.  However, now you're talking about securing that traffic and hoping you didn't implement it wrong.  In ways where I could force normal traffic over your non-secured protocol in various ways through MiTM techniques.
We also need the session to regenerate on login.  Otherwise I might be able to send you a link or force a query that actually sets my own made-up session when you login.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now