Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Controlling access to a third party URL

Posted on 2015-01-29
Medium Priority
Last Modified: 2015-02-09
I am setting up something like an employee suggestion scheme using a proprietary system made available under license by an independent provider on their servers. We develop the feedback survey design which the service provider will implement and they will give us a URL for employees to use to access it. An employee might legitimately make more than one response if there are several issues they want to comment on and we want as many valid responses as possible.

The survey tools include things like graphical elements that can be dragged around a chart to register an opinion so it is more than just check boxes, radio buttons and text fields. I'm not into web coding and wouldn't be told how it is implemented even if I could understand it as it's all valuable intellectual property. The system is designed to encourage responses so it is very open and it is anonymous as an absolute matter of policy.

We are concerned that an employee wanting to make a point might get friends and family to access the survey and submit responses on their behalf, to emphasise something. If they can see the URL, either in the link they are given to get to the survey or in the browser window when they get there, they can just copy that to other people.

Without using information that would identify the respondent, as this is against the service provider's policy, we would like to make sure that at least the bulk of responses are from staff even if we can't lock it down 100%.

Staff can be directed to the survey via email or on the intranet, whichever we choose.

Is there something I could suggest to the service provider or anything we could do locally that would prevent the staff from finding the URL or fix it so that they could only access the survey from a work computer?

I am just looking for a strategy to suggest as I realise a complete solution isn't possible with so little detail about the employer's and service provider's systems.

We don't want it indexed by search engines so all the things people worry about affecting search ranking aren't a problem here.
Question by:sjgrey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 50

Expert Comment

ID: 40577167
personally i think your worrying about this from the wrong perspective....

if you get any responses via this treat it as a positive "response" ... if an issue generates such "emotion" someone
is getting outsiders to comment then IT IS AN ISSUE...

However , as with all suggestion/survey schemes the most effort  needs to go into actually understanding and interpreting the results....

1) format you survey .... and set it up ... giving consideration to HOW PEOPLE WILL INTERPRET/USE IT
2) get the response
3) ANALYZE The responses
4) Check the responses... what actual problems/suggestions have been identified
5) Confirm its a Majority/Valid view... not just isolated / or crackpot/joke
6) LEARN from the response
7) Implement Something!  
or 8) LEAD the Change

Author Comment

ID: 40585449
Sorry I didn't answer but it seems to me you are just saying I shouldn't ask the question

There are very good reasons for wanting to confine responses to the target group: industrial relations, public relations, integrity of the research ...

This is a novel form of surveying, not standard NPS or Likert scale and its purpose is to explore a complex system not to measure a well defined system

So my question remains. Is there any general strategy I can adopt to hide the URL, allow legitimate staff, logged in on the intranet, to respond several times if they want, but prevent people elsewhere from accessing the survey?
LVL 43

Expert Comment

ID: 40597913
As you've already alluded to, you can only put deterrents in place and cannot prevent

... could only access the survey from a work computer?
That's fairly easy as your company will most likely have a public static ip address that you can configure you host to only accept requests from that IP address.  The caveat is that If the employees are off-site, they may still be able to to VPN to the office and submit the form as if they were in the office, circumventing this approach.

Every situation is going to be flawed as you don't know who is sitting in front of the employee's computer.

The problem with a browser is that you can see all the code as the browser needs it to run.  It's not compiled though it can be obfuscated making it very difficult to reverse engineer.  URLs, you can obfuscate but the browser will show you every network connection and url it makes.

I would talk to your network guys and say that this url can only be accessed by a certain range of internal IP addresses   (excluding VPN IP addresses) and your companies public IP address.  You may need to configure a proxy to handle the double handling of connections.   This would mean that the person submitting the form would have to have done it from the office.  If s/he brings a friend/family into the office on the weekend and gets them to do the survey, well that opens up all kinds of social and personal issues that have to be dealt with by management.

Is that feasible?
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Author Comment

ID: 40598090
This is sounding promising but I'm not quite clear if what you are suggesting is done at the user's end or on the server hosting the survey or a bit of both.

Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.

Similarly, if a proxy is required, is that at the server end as well?

Sorry if these questions seems  bit basic but this isn't my area of expertise. I just need to be able to point the tech people in the right direction and give them enough that they won't just say it can't be done.

LVL 43

Accepted Solution

Rob earned 2000 total points
ID: 40598109
Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.
Yes, That's what I'm suggesting and it can be configured easily by your host (having done it before to block certain countries from "visiting" our website)

Similarly, if a proxy is required, is that at the server end as well?
The proxy would be on your end, in as much as it would be managed by your team.  Essentially your office computers connect to the proxy, requesting a URL and it either says Yes or No, which is configured by you.  As long as the connecting computer in within the valid range of IP addresses for the survey URL then it's a "Yes".  The proxy is there to force the survey to be submitted from the office.  Networking isn't my strong suit so there's bound to be some caveats to this approach, however at the end of the day this is a deterrent, you're just trying to make it a good one.

Author Closing Comment

ID: 40598119
That's great thanks. I feel I have enough to ask the technical personnel to turn their minds to it now.
LVL 43

Expert Comment

ID: 40598148
No problem, thanks for the points and good luck with your project.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question