Go Premium for a chance to win a PS4. Enter to Win


Controlling access to a third party URL

Posted on 2015-01-29
Medium Priority
Last Modified: 2015-02-09
I am setting up something like an employee suggestion scheme using a proprietary system made available under license by an independent provider on their servers. We develop the feedback survey design which the service provider will implement and they will give us a URL for employees to use to access it. An employee might legitimately make more than one response if there are several issues they want to comment on and we want as many valid responses as possible.

The survey tools include things like graphical elements that can be dragged around a chart to register an opinion so it is more than just check boxes, radio buttons and text fields. I'm not into web coding and wouldn't be told how it is implemented even if I could understand it as it's all valuable intellectual property. The system is designed to encourage responses so it is very open and it is anonymous as an absolute matter of policy.

We are concerned that an employee wanting to make a point might get friends and family to access the survey and submit responses on their behalf, to emphasise something. If they can see the URL, either in the link they are given to get to the survey or in the browser window when they get there, they can just copy that to other people.

Without using information that would identify the respondent, as this is against the service provider's policy, we would like to make sure that at least the bulk of responses are from staff even if we can't lock it down 100%.

Staff can be directed to the survey via email or on the intranet, whichever we choose.

Is there something I could suggest to the service provider or anything we could do locally that would prevent the staff from finding the URL or fix it so that they could only access the survey from a work computer?

I am just looking for a strategy to suggest as I realise a complete solution isn't possible with so little detail about the employer's and service provider's systems.

We don't want it indexed by search engines so all the things people worry about affecting search ranking aren't a problem here.
Question by:sjgrey
  • 3
  • 3
LVL 50

Expert Comment

ID: 40577167
personally i think your worrying about this from the wrong perspective....

if you get any responses via this treat it as a positive "response" ... if an issue generates such "emotion" someone
is getting outsiders to comment then IT IS AN ISSUE...

However , as with all suggestion/survey schemes the most effort  needs to go into actually understanding and interpreting the results....

1) format you survey .... and set it up ... giving consideration to HOW PEOPLE WILL INTERPRET/USE IT
2) get the response
3) ANALYZE The responses
4) Check the responses... what actual problems/suggestions have been identified
5) Confirm its a Majority/Valid view... not just isolated / or crackpot/joke
6) LEARN from the response
7) Implement Something!  
or 8) LEAD the Change

Author Comment

ID: 40585449
Sorry I didn't answer but it seems to me you are just saying I shouldn't ask the question

There are very good reasons for wanting to confine responses to the target group: industrial relations, public relations, integrity of the research ...

This is a novel form of surveying, not standard NPS or Likert scale and its purpose is to explore a complex system not to measure a well defined system

So my question remains. Is there any general strategy I can adopt to hide the URL, allow legitimate staff, logged in on the intranet, to respond several times if they want, but prevent people elsewhere from accessing the survey?
LVL 43

Expert Comment

ID: 40597913
As you've already alluded to, you can only put deterrents in place and cannot prevent

... could only access the survey from a work computer?
That's fairly easy as your company will most likely have a public static ip address that you can configure you host to only accept requests from that IP address.  The caveat is that If the employees are off-site, they may still be able to to VPN to the office and submit the form as if they were in the office, circumventing this approach.

Every situation is going to be flawed as you don't know who is sitting in front of the employee's computer.

The problem with a browser is that you can see all the code as the browser needs it to run.  It's not compiled though it can be obfuscated making it very difficult to reverse engineer.  URLs, you can obfuscate but the browser will show you every network connection and url it makes.

I would talk to your network guys and say that this url can only be accessed by a certain range of internal IP addresses   (excluding VPN IP addresses) and your companies public IP address.  You may need to configure a proxy to handle the double handling of connections.   This would mean that the person submitting the form would have to have done it from the office.  If s/he brings a friend/family into the office on the weekend and gets them to do the survey, well that opens up all kinds of social and personal issues that have to be dealt with by management.

Is that feasible?
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

ID: 40598090
This is sounding promising but I'm not quite clear if what you are suggesting is done at the user's end or on the server hosting the survey or a bit of both.

Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.

Similarly, if a proxy is required, is that at the server end as well?

Sorry if these questions seems  bit basic but this isn't my area of expertise. I just need to be able to point the tech people in the right direction and give them enough that they won't just say it can't be done.

LVL 43

Accepted Solution

Rob earned 2000 total points
ID: 40598109
Do you mean to arrange it so that the server will only accept access to a particular URL from certain IP addresses? If so, I presume this would be accomplished within the code associated with that URL.
Yes, That's what I'm suggesting and it can be configured easily by your host (having done it before to block certain countries from "visiting" our website)

Similarly, if a proxy is required, is that at the server end as well?
The proxy would be on your end, in as much as it would be managed by your team.  Essentially your office computers connect to the proxy, requesting a URL and it either says Yes or No, which is configured by you.  As long as the connecting computer in within the valid range of IP addresses for the survey URL then it's a "Yes".  The proxy is there to force the survey to be submitted from the office.  Networking isn't my strong suit so there's bound to be some caveats to this approach, however at the end of the day this is a deterrent, you're just trying to make it a good one.

Author Closing Comment

ID: 40598119
That's great thanks. I feel I have enough to ask the technical personnel to turn their minds to it now.
LVL 43

Expert Comment

ID: 40598148
No problem, thanks for the points and good luck with your project.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question