tags:

views:

249

answers:

4
Q: 

Prevent users from being able to access a webpage via web browser?

My friend and I are working on a program. This program is going to submit GET data to our webpage. However, we don't want users accessing the webpage any other way than the program. We can prevent users from sharing the program using HWID authentication, but nothing prevents them from using a packet scanner to get the URL of the webpage. We thought about user-agent authentication, which we will implement, but user-agents can easily be spoofed.

So my question is, how can we prevent users from accessing the webpage directly, instead of through the program?

Even if you don't have an answer that will completely work, anything that will help deter them would be nice.

Currently we will be implementing:

HWID Authentication to use the program User-Agent Authentication to access the web page Instant IP Blacklisting to anyone accessing the webpage without the proper User-Agent

A: 

one option is to use and verify a custom header which a web browser does not send, i did a similar thing for a program of my own. Do that ontop of the other verifications you are doing. On serverside, have your server script verify the custom header and simply redirect if the header is wrong

Jim  2010-04-18 09:05:34
Sounds good, can you please elaborate on how I could make the webpage check for the header? Maybe also elaborate on how to send the custom header. I do the PHP, my buddy does the VB.Net
Rob  2010-04-18 09:08:37
easily spoofed too
Col. Shrapnel  2010-04-18 09:14:00
Security through obscurity... What happens if someone intercepts a request and sees that custom header?
Guillaume  2010-04-18 09:16:20
in php, in the page your program is supposed to read, use public array HttpRequest::getHeaders () to get the headers and check/varifiy name and the value, in vb. net with the request object you add a header, you do not return any custom header back to the program and you simply redirect if the headercheck fails
Jim  2010-04-18 09:20:21
@Jim the point is that those headers can be duplicated easily by a malicious client. They don't really add security.
Pekka  2010-04-18 09:27:32
+2  A: 

One option is you can set an encrypted token in the request header.

The Token can be used only for single time. If the same token is sent again the server will reject it, means u have to maintain the copy of utilized tokens on the server side.

Java Chap  2010-04-18 09:07:55
Maintaining copies are easy, I'll simply use a MySQL database. I need to do that anyway for the IP Blacklist
Rob  2010-04-18 09:10:08
Is this not a better way than SSL ?? Cause the encryption logic is inside the application. We cant help if ppl decompile the code !\Also this is a cheap solution.. rather than investing on the SSL Certificates !
Java Chap  2010-04-18 09:20:49
Good point. The one-time algorithm might get reverse engineered one day but so could the encryption key(s) used.
Pekka  2010-04-18 10:32:07
+4  A: 

Do not rely on user agent or any kind of browser fingerprint, HTTP headers are easily forged/spoofed.

You could add some secret token (eg. password/login) to the request and send it through SSL to prevent eavesdropping.

Or better, use an SSL client certificate.

Edit Are you going to distribute the VB program? If so, as bobince mentioned, there's no way you can prevent a determined hacker to forge requests. You can raise the bar but it will be security through obscurity. Even with client certs, the hacker will be able to extract the cert from your program and send modified requests.

As long as you accept requests from the client, these requests can be forged. Deal with it.

Guillaume  2010-04-18 09:09:06
Yeah we thought about using SSL except that I don't have a clue about it, and don't know how to make the page accessible via SSL
Rob  2010-04-18 09:11:51
So, time to learn, @Rob buy yourself a book or two
Col. Shrapnel  2010-04-18 09:13:06
Yeah I suppose. Or I could use google, where everything's free.
Rob  2010-04-18 09:13:43
+1 Encrypting the communication is the only half-way safe way to do this that I can think of.
Pekka  2010-04-18 09:14:37
In the end of course you can never win. Once you give a copy of the software to someone else, they have any information in it (like a client cert) that would be necessary to connect to the server.
bobince  2010-04-18 09:17:48
@Rob: That depends on how much your time is worth.
Heinzi  2010-04-18 12:10:12
A: 

  • Try encrypting all ur webpages using the a long key(512bits or more) use the HWID as a salt.

    This way only ur program can decode it and render it as a webpage.

    en.wikipedia.org/wiki/Salt_%28cryptography%29

  • C# & VB.net here:

    obviex.com/samples/hash.aspx

CVS-2600Hertz  2010-04-18 10:27:45

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases