Securing our website
Posted on 2008-11-12
Let's start at the beginning. A few years ago, we developed an application that was web based. It assisted corporate customers in managing their purchasing needs. The application has security built into it in the form of a user ID and password. Very early in the deployment we discovered that if a user logged into the system, browsed to a document (PDF) or a data page, they could copy and paste the URL in to another browser andsee the document or data with out having to log back in. So, we purchased an application that protects each secure resource and validates that the user has a login cookie in the browser before passing the request to our application. If the user tried to copy and paste the URL into a browser without the secure cookie, it prompts the user for credentials before displaying the information. Very similar process for most web sites. For instance, if I log into my checking account, view my transactions page and then try to cut and paste the transaction page URL into another browser, my bank login page appears not my transaction page.
So now, to the problem, the product we currently use is very expensive and for very large customer it becomes cost prohibitive. The data we are securing is not national security stuff, no Credit Card numbers, no Social Security Numbers, not personal information, just data about what that company buys and what it pays for the products. It certainly is confidential, but doesn't need this level of security. So how can I prevent the security problem above without costing an arm and a leg?