tags:

views:

329

answers:

10
+1  Q: 

How to display a web page and keep its location a secret?

Background:

I have a PHP based (Zend Framework) application. It is secure, and only users who have been invited are able to access its resources. One of the resources that I want to keep secure is a link to a private Google Calendar. This is a public link, but I want to be in control of who can view it. There may be a time when a user account will be revoked and I don't want that user to still be able to access the calendar.

So I would like to display this Google Calendar page without giving the user the ability to know its real location and without the ability to bookmark it (in case the user has been deleted):

I'm thinking I can generate some sort of unique url and display this in the view.

<a href="/secret/link/4b21efc1ae7bb">Click here to see this secret page that only users who have been given permission are allowed to see</a>

Since the actual url of the Private Google Calendar is public, and not on my server, I don't want the user to be able to know the url, nor be able to bookmark the url. I don't know if this will involve iframes, javascript, or whatever is necessary, but I need to be able to do this some how.

Question:

How can I display the Google Calendar, while keeping it's true location secure?

+1  A: 

Why do you want to do this? You really can't completely hide the url of another page, unless you fetch the page and hide it by displaying it on a POSTED form page on your site.

You could try overlaying it in a frame, but the url still could be found.

If you want something simple, to prevent people from causally not bookmarking the url, setup a POSTED link or form that directs to an framed viewer, (embedding the page within another). If anyone bookmarks or shares the page without POSTED data, it can display page not found or access not permitted.

CodeJoust  2009-12-15 22:11:05
What is a "POSTED" link?
Chuck  2009-12-15 22:26:37
I have updated the question to better reflect what it is that I am trying to do.
Andrew  2009-12-15 22:38:29
A POSTED link is a hidden form that redirects to another page with parameters.
CodeJoust  2009-12-16 03:39:24
A: 

using Apache Web Server you can use mod-rewrite

http://www.yourhtmlsource.com/sitemanagement/urlrewriting.html

mmundiff  2009-12-15 22:12:03
Since this is on a different server, your answer is incorrect.
McPherrinM  2009-12-15 22:15:35
+2  A: 

You could write code that would dynamically generate these URLs and permit them to be accessed only once. That way, users could bookmark them all they wanted to to no avail.

Dan Loewenherz  2009-12-15 22:12:57
I have updated the question to better reflect what it is that I am trying to do.
Andrew  2009-12-15 22:43:05
+11  A: 

Perhaps the best way is to let your server actually fetch the page from the other server, then deliver it as content to the browser.

In that way, the external URL is never sent to the browser and therefore it doesn't know anything about it. Instead all the client sees is a URL to your server. Doing it this way would allow you to set whatever security you want on your page.

Pretty much every web language (.Net, PHP, java, etc ) all have support for doing this server side.

UPDATE

Due to the changes to the question, here is a new approach: Use the Google Calendar API. It's built for exactly the situation you are in. It will allow you to display the google calendar within your site as well as manage the access control list via code.

Chris Lively  2009-12-15 22:20:00
I have updated the question to better reflect what it is that I am trying to do.
Andrew  2009-12-15 22:37:47
This simple approach won't suffice. If the page makes XMLHttpRequests, they will be across different domains and fail. There are other problems, but this is the biggest one.
Jordan Ryan Moore  2009-12-16 01:08:25
+2  A: 

You could create your own proxy page.

When this page is called, your code will:

  • Call the real URL (the one you want to hide).
  • Scrape the HTML out of it.
  • Remove any references to the hidden URL in that HTML.
  • Spit that HTML back to the client.

Also, as per @DanLoewenherz's idea, that page will only work once.

I'm not sure what language/stack your using, but the above is possible in ASP.NET MVC.

jonathanconway  2009-12-15 22:24:48
I have updated the question to better reflect what it is that I am trying to do.
Andrew  2009-12-15 22:37:10
This could still work. It'd take a lot of effort, but it's about the only way that would actually work. You'd have to expand on it though to also forward the requests across to the google calendar too. Sounds like too much effort to me. I'd either just put it in an iframe (and accept that some people might get the url), or use google calendar auth settings to actually share it with the people accounts - or possibly create accounts for the users you already have, but don't actually share that information with them).
Blair McMillan  2009-12-15 22:52:48
+1  A: 

There is no completely secure way to do this without creating your own authenticated proxy server that fetches all of the HTML, JS, CSS, etc., modifies all URLs, and returns them to the user. This is not a simple task.

Jordan Ryan Moore  2009-12-15 23:04:57
A: 

Using Zend, you could use the class Zend_Http_Client to fetch the page returned from an external server, and return it to the user.

kiamlaluno  2009-12-15 23:24:02
A: 

To see this page some kind of authentication is needed? if doesn't, I guess this solves the problem.

<?php
$page=curl_init("http://google.com/calendar/...");
curl_setopt($page,CURLOPT_RETURNTRANSFER,1);
echo utf8_decode(curl_exec($page));
?>
Delta  2009-12-15 23:33:24
+1  A: 

Best option is IMO generating the Google Calendar yourself (using Zend_GData) and handel the "securing" yourself. That's the most secure way of all ;)

Tomáš Fejfar  2009-12-16 00:41:33
Or, if you don't want to use the Zend module, you could access the Calendar API yourself (http://code.google.com/apis/calendar/)
Blair McMillan  2009-12-16 12:53:24
JFYI: Zend_GData is official API http://code.google.com/intl/cs/apis/calendar/data/1.0/developers_guide_php.html#GettingStarted
Tomáš Fejfar  2009-12-16 22:14:39
A: 

Have a page that does:

file_get_contents('http://www.example.com/gcal');

And generate a secret URL for that page.

wooptoo  2009-12-16 01:08:54

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?