Prevent access via entering url in address bar of browser

**rwtaylor** · Nov 11th, 2005, 12:08 PM

Originally Posted by yatesco

To make it a *little* bit more difficult, make all your controllers only accept posts instead of gets. Anything entered into the URL in a browser is sent as a post....

To be honest, I think it would be better for you to deal with the security issue instead of ignoring it

This all seems very fragile and a bit nasty

Thanks. But this solution is not acceptible in my circumstance.
It could also be spoofed. For example, Canoo WebTests can send a POST request to any url once authenticated.

**rwtaylor** · Nov 11th, 2005, 12:14 PM

Thanks to all who replied. I'm going to do some more research. Unfortunately (and as suggested), I'll have to deal with the authorization issues per request use case. I was really hoping to have a blanket solution that would prevent a user from fishing around an application after they were authenticated.

Thanks again.

**ybardavid** · Nov 14th, 2005, 12:02 AM

Some of the suggested solutions can be implemented once per the entire application by using an intercaptor.

**waitman** · Nov 15th, 2005, 12:45 AM

I am pretty sure I understand your question, but I don't quite understand your example.

I think you are saying that someone could enter order ids and pull up other people's orders. I know that some programmers simply use a big hard guess random number (like an MD5 hash) to identify particular orders, instead of using a numerical index. However, the issue you describe makes me believe that the data is not secure to begin with, so I doubt an "authorized URL" will have a desired effect.

My suggestion is to consider who creates the data, who owns the data, who can modify the data and who can utilize the data. Make sure that only the rules can be followed. In my opinion, it is better to keep things such as customer orders, etc (that are accessible by your customers of your web site ) -> static and not dynamic. And only an authorized user could actually access the data.

IE, your web server is *not* an authorized user.

It is a seriously insanely bad idea to keep a full customer database on the same server as "the web site" anyhow.

I know you didn't elaborate on all this stuff, it just came to my mind and I thought I would comment on it.

Take care

Waitman

**eboix** · Nov 15th, 2005, 03:10 AM

I don't know if I fully understood your problem. You could use some kind of "token". Your navigation starts with "1" and sequentially increase it with every controller method.

You should carry the token in a hidden field, and compare the token with the expected token in the session. I mean:

Page 1. Your user logins. Set the token to 1 in the session and to 1 in the hidden field.
Page 2, 3, 4... Increase the token in the session and compare it to the token in the hidden field. If equals, continue, else, raise exception.

If the user enters an URL, the token will not be the same as the session, and you'll be able to detect this.

In Spring, this could be -quite- easily be implemented in an interceptor. I recall Struts having something like this. OTOH, you should carry along the token hidden field on all your pages, links and forms...

Regards,
Esteve

Thread: Prevent access via entering url in address bar of browser

Thread Tools

Display

Re: Prevent access via entering url in address bar of browser

Use interceptors

secure data

Posting Permissions