• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 135
  • Last Modified:

Controlling access to a third party URL

I am setting up something like an employee suggestion scheme using a proprietary system made available under license by an independent provider on their servers. We develop the feedback survey design which the service provider will implement and they will give us a URL for employees to use to access it. An employee might legitimately make more than one response if there are several issues they want to comment on and we want as many valid responses as possible.

The survey tools include things like graphical elements that can be dragged around a chart to register an opinion so it is more than just check boxes, radio buttons and text fields. I'm not into web coding and wouldn't be told how it is implemented even if I could understand it as it's all valuable intellectual property. The system is designed to encourage responses so it is very open and it is anonymous as an absolute matter of policy.

We are concerned that an employee wanting to make a point might get friends and family to access the survey and submit responses on their behalf, to emphasise something. If they can see the URL, either in the link they are given to get to the survey or in the browser window when they get there, they can just copy that to other people.

Without using information that would identify the respondent, as this is against the service provider's policy, we would like to make sure that at least the bulk of responses are from staff even if we can't lock it down 100%.

Staff can be directed to the survey via email or on the intranet, whichever we choose.

Is there something I could suggest to the service provider or anything we could do locally that would prevent the staff from finding the URL or fix it so that they could only access the survey from a work computer?

I am just looking for a strategy to suggest as I realise a complete solution isn't possible with so little detail about the employer's and service provider's systems.

We don't want it indexed by search engines so all the things people worry about affecting search ranking aren't a problem here.
  • 3
  • 3
1 Solution
personally i think your worrying about this from the wrong perspective....

if you get any responses via this treat it as a positive "response" ... if an issue generates such "emotion" someone
is getting outsiders to comment then IT IS AN ISSUE...

However , as with all suggestion/survey schemes the most effort  needs to go into actually understanding and interpreting the results....

1) format you survey .... and set it up ... giving consideration to HOW PEOPLE WILL INTERPRET/USE IT
2) get the response
3) ANALYZE The responses
4) Check the responses... what actual problems/suggestions have been identified
5) Confirm its a Majority/Valid view... not just isolated / or crackpot/joke
6) LEARN from the response
7) Implement Something!  
or 8) LEAD the Change
sjgreyAuthor Commented:
Sorry I didn't answer but it seems to me you are just saying I shouldn't ask the question

There are very good reasons for wanting to confine responses to the target group: industrial relations, public relations, integrity of the research ...

This is a novel form of surveying, not standard NPS or Likert scale and its purpose is to explore a complex system not to measure a well defined system

So my question remains. Is there any general strategy I can adopt to hide the URL, allow legitimate staff, logged in on the intranet, to respond several times if they want, but prevent people elsewhere from accessing the survey?
RobOwner (Aidellio)Commented:
As you've already alluded to, you can only put deterrents in place and cannot prevent

... could only access the survey from a work computer?
That's fairly easy as your company will most likely have a public static ip address that you can configure you host to only accept requests from that IP address.  The caveat is that If the employees are off-site, they may still be able to to VPN to the office and submit the form as if they were in the office, circumventing this approach.

Every situation is going to be flawed as you don't know who is sitting in front of the employee's computer.

The problem with a browser is that you can see all the code as the browser needs it to run.  It's not compiled though it can be obfuscated making it very difficult to reverse engineer.  URLs, you can obfuscate but the browser will show you every network connection and url it makes.

I would talk to your network guys and say that this url can only be accessed by a certain range of internal IP addresses   (excluding VPN IP addresses) and your companies public IP address.  You may need to configure a proxy to handle the double handling of connections.   This would mean that the person submitting the form would have to have done it from the office.  If s/he brings a friend/family into the office on the weekend and gets them to do the survey, well that opens up all kinds of social and personal issues that have to be dealt with by management.

Is that feasible?
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

sjgreyAuthor Commented:
This is sounding promising but I'm not quite clear if what you are suggesting is done at the user's end or on the server hosting the survey or a bit of both.

Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.

Similarly, if a proxy is required, is that at the server end as well?

Sorry if these questions seems  bit basic but this isn't my area of expertise. I just need to be able to point the tech people in the right direction and give them enough that they won't just say it can't be done.

RobOwner (Aidellio)Commented:
Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.
Yes, That's what I'm suggesting and it can be configured easily by your host (having done it before to block certain countries from "visiting" our website)

Similarly, if a proxy is required, is that at the server end as well?
The proxy would be on your end, in as much as it would be managed by your team.  Essentially your office computers connect to the proxy, requesting a URL and it either says Yes or No, which is configured by you.  As long as the connecting computer in within the valid range of IP addresses for the survey URL then it's a "Yes".  The proxy is there to force the survey to be submitted from the office.  Networking isn't my strong suit so there's bound to be some caveats to this approach, however at the end of the day this is a deterrent, you're just trying to make it a good one.
sjgreyAuthor Commented:
That's great thanks. I feel I have enough to ask the technical personnel to turn their minds to it now.
RobOwner (Aidellio)Commented:
No problem, thanks for the points and good luck with your project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now