Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
5
Erster Beitrag:
vor 3 Jahren, 2 Monaten
Letzter Beitrag:
vor 2 Jahren, 8 Monaten
Beteiligte Autoren:
willy hermans, :cheers:, Fabrice Harari, Allard

Security on webdev login

Startbeitrag von willy hermans am 14.12.2014 10:54

Situation
I am building a website with WD18. It works with delicat medical data.

A therapist can login to a specific environment via a personal url.

Everybody has the same URL with a long randomized parameter.

According to that link the system knows that is is a therapist, an administrator or a patient.

Of course there is also a password asked. And not everybody has access to all the data.

Now the problem.

I login as a therapist via a valid link, fill in the pasword and have acces to my pages. Excellent.

When I copy the URL and I use it with another browser, I have also acces to those pages without fill in the pasword

http://127.0.0.1/WD180AWP/WD180Awp.exe/CTX_1288-0-KKnQyWlcVc-23120663/PAGE_BehandelaarLogin/SYNC_14246078

I think the webserver sees a session that is not expired.

When I do this twice it does not work anymore,

Now the question

How can I secure the site in a way it is not possible to access it from another URL

Thanks,

Willy Hermans

Antworten:

Hello Willy,

There are different ways of doing what you want. Here are a few:
- Check the IP address of the client each time something is done on the server (in the page template, by example). If IP is different, redirect to FBI web site... This will NOT work for several computer behind the same router, as they will have the same public IP
- When the user enter its password (and therefore IS identified), write a token (GUID, by example) in a session record in your DB/linked to this user, and in a cookie on the client PC. Then each time something is done on the server (in the page template, by example, check that the COOKIE information matches the current session information in the DB. On a separate computer, the cookie wont be there. This will NOT work if cookies are not allowed on the client PC.
- Of course, you can also check that the browser type and version is the same along the whole session so that copying a link from IE to chrome, or from chrome 32 to 31, will always prevent the use of a link.
- You can also use the token technique but pass it as a mandatory parameter to each page. This will work even if cookies are forbidden, but will means modifying all your calls to pages in your project. Also, if the users captures a full URL WITH this parameter, the session will still be active for it.
- Finally, a more complex system would be to use a single use access number. Your project should manage a global variable (counter) set to 1 when entering the password, and recorded inside your session record... Each call from the browser (to open another page) should send this value as a parameter. The server would check that the number is in sequence (ie last number+1) and hasn't been used before. Now, anybody capturing the URL would have to modify it again and again till they find the correct value for the counter. That would make stealing a URL very difficult.
- If you still need more difficult, then transform/encrypt your counter value (from the previous system) before sending it so that the value appears random, not sequential. Of course, the server would know how to decvrypt it before testing. It is STILL possible to crash that system, as the encryption code would be in javascript somewhere on the browser, but woul then require not only stealing the URL, but also digging into the browser code.
- And if that is STILL not enough, then have the encryption be done by the server itself, via a separate AJAXexecute call. That would of course slow down your site a little, but make it even more difficult to reuse a URL...

There are probably many more methods that can be used, and a combination of several methods is also possible, so have fun...

Best regards

von Fabrice Harari - am 14.12.2014 11:50
OK

Again a lot of stuff and a lot of fun ;{)

I know what to do until the end of this year.

Many thanks for the ideas.

Willy Hermans

von willy hermans - am 14.12.2014 12:15
You say you have:
-therapist
-admin
and patient.
They have different rights. So on some pages a therapist can edit and see things that a user cannot and a user cannot edit etc?

Let me first say that I have experience with the php modus but I think dynamic webdev uses a system for handling sessions etc in the same way .

I have several apps with 3 and even more roles and it works great.
I have a table for users and can give users rights so a user falls in a certain category. ( The admin can do this)
I use page templates with groups. This works great. If a button , can only be seen or used by admin add the button to the admin group and if you login as a none admin you donnot have acces.
In the page template at the start I do a check on the users table.
- To see if is logged in and what level is logged in. This is based on a globale variabele.
Vb hreadseek(user, uerid,globalvariabele)
This way you can make pages that are accessible to everyone but have content that can be different. You can also make admin templates. They are only accessible with the admin role.
If I login and go to my admin panel, copy the page and paste in in an other browser. Then Iam forwarded directly to the login page. I guess this was your question.

Regards

Allard

von Allard - am 14.12.2014 14:30
:hot:

von :cheers: - am 18.06.2015 15:30
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.