Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

URL parms security issue?

Status
Not open for further replies.
wvdba

wvdba

IS-IT--Management
Jun 3, 2008
465
US
hi.
i have a website that has 2 pages, page1 and page2.
page1 lists terms of use and so on and user chooses option to list items like this:
the asp page accesses the oracle db and gets records which the user requested using a facility. the facility contains the following individual items:
view_details-----item_name------item_description
view_details widget1 widget 1 description
view_details widget2 widget 2 description
view_details widget3 widget 3 description
this view_details is an href that links to page two and passes the record ID with the href link which is visible on the url. i would like to hide these parameters that are passed to page two. page two lists the detailed description of the item they clicked on. an individual has been using just page2 and has drilled down the links with the parms and gets all the details of the items, downloads them and puts them on his own website. my task is to prevent this user from sealing the data using my page's code (asp classic) and supplying the parms. i have used session id and that kept the guy from sealing our data. but two days later, he got around it and stole the data again.
any suggestions would be greatly appreciated.
thanks.
 
Sort by date Sort by votes
you could create a "form" for each row and "post" the item id to page2 - create/keep a session value to stop the person from submitting to page2 from their own site...

JavaScript: 
	function submitForm(frm) {
		document.getElementById("form_" + frm).submit();
	}

Code: 
<%
	response.CacheControl = "no-cache"
	response.AddHeader "Pragma", "no-cache"
%>

<%
	if session("thisSessionId") = "" then
		session("thisSessionId") = "1234" ' make this a random number
	end if
%>
<table border="1">
<tr>
<th>view details</th>
<th>item name</th>
<th>item description</th>
</tr>
<tr>
<td>
	<form action="page2.asp" id="form_1" method="post">
		<a href="javascript:submitForm(1);">view details</a>
		<input type="hidden" name="tbxItem" value="1" />
		<input type="hidden" name="tbxSession" value="<%=session("thisSessionId")%>" />
	</form>
</td>
<td>widget1</td>
<td>widget 1 description</td>
</tr>
<tr>
<td>
	<form action="page2.asp" id="form_2" method="post">
		<a href="javascript:submitForm(2);">view details</a>
		<input type="hidden" name="tbxItem" value="2" />
		<input type="hidden" name="tbxSession" value="<%=session("thisSessionId")%>" />
	</form>
</td>
<td>widget2</td>
<td>widget 2 description</td>
</tr>
</form>

Code: 
<%
	tbxSession = request.form("tbxSession")
	tbxItem = request.form("tbxItem")
	if tbxSession <> session("thisSessionId") then
		response.write "oops!!!"
		response.end
	end if

	session("thisSessionId") = ""
%>
<%
	response.write tbxItem
%>
<!-- continue like normal here, your item id is stored in "tbxItem" -->


--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
thanks.
the content of "input type = hidden" can be seen be seen when you view the source code. the guy is downloading the source, parsing the item_id/name and accessing database with the session in place.
 
Upvote 0 Downvote
thanks.
the content of "input type = hidden" can be seen be seen when you view the source code. the guy is downloading the source, parsing the item_id/name and accessing database with the session in place.
Click to expand...

By "accessing database", I'm assuming you mean he's viewing page2.asp and not directly accessing your server...

That's why you have the 2nd hidden field that contains the session var you created...

The guy can see that too, but he can't add a session on your server from his. Since the sessoin var is emptied after the item is viewed (page2.asp) and recreated every time the list is shown (page1.asp).

You can't stop him from clicking on every link and viewing the product information, but you can stop him from scraping the info from your site...

You can use a GUID for the session id:

Code: 
set obj = createObject("scriptlet.typeLib")
	session("thisSessionId") = left(cstr(obj.guid),38)
set obj = nothing




--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
Thanks vicvirk.
It's not setting/getting the session id.
my code is:
Code: 
page1.asp
<%
set obj = createObject("scriptlet.typeLib")
    session("thisSessionId") = left(cstr(obj.guid),38)
set obj = nothing
%> 
<body>
this is a sample page. 
<form action="page2.asp" method="post" name="myForm" id="myForm">

   <input type="text" name="fname" id="fname"></input>
</form>
Code: 
page2.asp
<%
response.write session("thisSessionId") & "<BR>"
response.end 
%>

 
Upvote 0 Downvote
in any case, he can grab this session by running my pag1 code. can he not? he has a program that opens this page and reads the contents of the database using the asp code in the page.
 
Upvote 0 Downvote
in any case, he can grab this session by running my pag1 code. can he not? he has a program that opens this page and reads the contents of the database using the asp code in the page.
Click to expand...

Yes, but he has to run that page everytime, as the session id is removed once page2.asp is rendered. Once the product listing page is accessed (via the back button or a link), a new session id is created...

Think of it this way:

user loads page 1
-Session ID = 123
user loads page 2
-if session id = 123 then continue
-delete session id
user loads page 2 again
-session id does not exists, do not continue
user loads page 1 again
-Session ID = 456
...and so on....

you can take it one step further by checking if a session id even exisits

Code: 
if tbxSession <> session("thisSessionId") or session("thisSessionId") = "" then



Even if you can somehow hide the item id, you can't stop him from clicking each link and doing the work...




--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
thanks.
what i'm not clear about, is how do i vary session id from 123 to 456 when i return to page1?
 
Upvote 0 Downvote
i set the session id in page1 as i noted above. when i try to write it in page2, nothing shows. am i doing something wrong?
thanks.
 
Upvote 0 Downvote
what i'm not clear about, is how do i vary session id from 123 to 456 when i return to page1?
Click to expand...

The page headers at the top of page1.asp prevent the page from being cached which means everytime it is loaded (even when the back button is pressed) a new session id is created.

i set the session id in page1 as i noted above. when i try to write it in page2, nothing shows. am i doing something wrong?
Click to expand...

I ran your code and it worked for me, maybe you are unable to create guids on your server?

Try a simple random number

Code: 
randomize
random_number = int(rnd*1000)+1
session("thisSessionId") = random_number


--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
166
JScannell
JScannell
leifoet
  • Locked
  • Question
How to combine A HREF with URL
Replies
1
Views
86
leifoet
leifoet
Ambientguitar
  • Locked
  • Question
Issue with this not calling the Sub in Classic ASP page
Replies
5
Views
220
MarkSweetland
MarkSweetland
vamsikirank
  • Locked
  • Question
Fortify Scan For Classic Asp Application - Issue
Replies
2
Views
132
guitarzan
guitarzan
leifoet
  • Locked
  • Question
How to hyperlink a database field to an external url
Replies
3
Views
97
guitarzan
guitarzan

Part and Inventory Search

Sponsor

Back
Top