Solved

Controlling access to a third party URL

Posted on 2015-01-29
7
77 Views
Last Modified: 2015-02-09
I am setting up something like an employee suggestion scheme using a proprietary system made available under license by an independent provider on their servers. We develop the feedback survey design which the service provider will implement and they will give us a URL for employees to use to access it. An employee might legitimately make more than one response if there are several issues they want to comment on and we want as many valid responses as possible.

The survey tools include things like graphical elements that can be dragged around a chart to register an opinion so it is more than just check boxes, radio buttons and text fields. I'm not into web coding and wouldn't be told how it is implemented even if I could understand it as it's all valuable intellectual property. The system is designed to encourage responses so it is very open and it is anonymous as an absolute matter of policy.

We are concerned that an employee wanting to make a point might get friends and family to access the survey and submit responses on their behalf, to emphasise something. If they can see the URL, either in the link they are given to get to the survey or in the browser window when they get there, they can just copy that to other people.

Without using information that would identify the respondent, as this is against the service provider's policy, we would like to make sure that at least the bulk of responses are from staff even if we can't lock it down 100%.

Staff can be directed to the survey via email or on the intranet, whichever we choose.

Is there something I could suggest to the service provider or anything we could do locally that would prevent the staff from finding the URL or fix it so that they could only access the survey from a work computer?

I am just looking for a strategy to suggest as I realise a complete solution isn't possible with so little detail about the employer's and service provider's systems.

We don't want it indexed by search engines so all the things people worry about affecting search ranking aren't a problem here.
0
Comment
Question by:sjgrey
  • 3
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Lowfatspread
ID: 40577167
personally i think your worrying about this from the wrong perspective....

if you get any responses via this treat it as a positive "response" ... if an issue generates such "emotion" someone
is getting outsiders to comment then IT IS AN ISSUE...

However , as with all suggestion/survey schemes the most effort  needs to go into actually understanding and interpreting the results....

1) format you survey .... and set it up ... giving consideration to HOW PEOPLE WILL INTERPRET/USE IT
2) get the response
3) ANALYZE The responses
4) Check the responses... what actual problems/suggestions have been identified
5) Confirm its a Majority/Valid view... not just isolated / or crackpot/joke
6) LEARN from the response
7) Implement Something!  
or 8) LEAD the Change
0
 
LVL 1

Author Comment

by:sjgrey
ID: 40585449
Sorry I didn't answer but it seems to me you are just saying I shouldn't ask the question

There are very good reasons for wanting to confine responses to the target group: industrial relations, public relations, integrity of the research ...

This is a novel form of surveying, not standard NPS or Likert scale and its purpose is to explore a complex system not to measure a well defined system

So my question remains. Is there any general strategy I can adopt to hide the URL, allow legitimate staff, logged in on the intranet, to respond several times if they want, but prevent people elsewhere from accessing the survey?
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 40597913
As you've already alluded to, you can only put deterrents in place and cannot prevent

... could only access the survey from a work computer?
That's fairly easy as your company will most likely have a public static ip address that you can configure you host to only accept requests from that IP address.  The caveat is that If the employees are off-site, they may still be able to to VPN to the office and submit the form as if they were in the office, circumventing this approach.

Every situation is going to be flawed as you don't know who is sitting in front of the employee's computer.

The problem with a browser is that you can see all the code as the browser needs it to run.  It's not compiled though it can be obfuscated making it very difficult to reverse engineer.  URLs, you can obfuscate but the browser will show you every network connection and url it makes.

I would talk to your network guys and say that this url can only be accessed by a certain range of internal IP addresses   (excluding VPN IP addresses) and your companies public IP address.  You may need to configure a proxy to handle the double handling of connections.   This would mean that the person submitting the form would have to have done it from the office.  If s/he brings a friend/family into the office on the weekend and gets them to do the survey, well that opens up all kinds of social and personal issues that have to be dealt with by management.

Is that feasible?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:sjgrey
ID: 40598090
This is sounding promising but I'm not quite clear if what you are suggesting is done at the user's end or on the server hosting the survey or a bit of both.

Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.

Similarly, if a proxy is required, is that at the server end as well?

Sorry if these questions seems  bit basic but this isn't my area of expertise. I just need to be able to point the tech people in the right direction and give them enough that they won't just say it can't be done.

Thanks
0
 
LVL 42

Accepted Solution

by:
Rob Jurd, EE MVE earned 500 total points
ID: 40598109
Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.
Yes, That's what I'm suggesting and it can be configured easily by your host (having done it before to block certain countries from "visiting" our website)

Similarly, if a proxy is required, is that at the server end as well?
The proxy would be on your end, in as much as it would be managed by your team.  Essentially your office computers connect to the proxy, requesting a URL and it either says Yes or No, which is configured by you.  As long as the connecting computer in within the valid range of IP addresses for the survey URL then it's a "Yes".  The proxy is there to force the survey to be submitted from the office.  Networking isn't my strong suit so there's bound to be some caveats to this approach, however at the end of the day this is a deterrent, you're just trying to make it a good one.
0
 
LVL 1

Author Closing Comment

by:sjgrey
ID: 40598119
That's great thanks. I feel I have enough to ask the technical personnel to turn their minds to it now.
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 40598148
No problem, thanks for the points and good luck with your project.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now