$.ajax({url:"URL",success:function(result){
I have a webpage that accesses a certain URL and then extract certain elements of the webpage. However, in order to access that URL you have to be redirected to what is similar to a log in page (requires form submission) and then you have access to that link.
I want to prevent the redirection upon loading the URL. Is that possible?
If not, am I able to manually do the form submission using JAVASCRIPT? Via AJAX or any other resource.
EDIT: By manually saving the .html to my directory and accessing the page from my root folder, it works fluently.
Thank you!
Yes, it is possible. You need to stop the form submission and add your AJAX call. Like this:
$("form").submit(function(){
$.ajax({url:"URL",
success:function(result){
}
});
return false;
});
More information here.
If I understand your question, what you need to do is log the user into the external website programmatically beforehand. This is possible if the other site supports OAuth or something similar, but the specifics will depend on their API and what exactly you're trying to do. I can't tell you more than that without more information.
This assumes you're trying to include the other web page in an iFrame, or link directly to a page there, or something like that. If, on the other hand, you're trying to log in to the foreign website as the user, pull out some content, and mix it in with your own, then I suggest you change your approach. You'll probably run afoul of all kinds of anti-XSS security policies, either on the foreign website or in the browser depending on what you try to do. Or you'll have to ask your users to give you their password on another site, and they'll have to really trust you for that.
Generally speaking, if you want to interact with another website, the user's client should connect, log in, and receive content directly from the other server without you acting as an intermediary. I think perhaps you're asking the wrong question: Instead of "how can I do this without the user logging in," ask "how can I let the user connect and log in to another website without having to leave my page?"
Related
I'm looking to securely lock content on a basic html site based on various permissions of the user. I'm looking to have a pop-up modal appear when the user's permissions don't check out... however it seems to be that any savvy user could simply open the console and delete that element (thus revealing the page anyways).
What am I missing here? What's the best way to approach this so that no matter what the actual page can't be accessed?
Thanks in advance for the help!
If content is downloaded to the client, it's always technically possible for a savvy user to access it.
You can either live with that, or alternatively do something like the following:
Load the basic page template without any content
Use an API call using cookies/other auth to get the content
If logged in, display the content, if not, launch the modal.
Ok here is my answer to this one.
The answer given was agood one, you can't hide the content truly so your options are:
Don't download all the stuff you want until you have auth'd the user (via cookies etc.
Use a simple redirect/buffer page infront of your hidden content.
In my use case (shopify) partial downloading of store content isn't exactly configurable (or i don't have enough knowledge of their template language + theme design to pull it off!), so I made use of javascript and cookies in order to check a user's status. If the user didn't pass they'd get kicked back to a landing page. Good enough!
I want to make a secret URL that will authenticate a user to do something, but which won't be there in the browser history.
e.g. I thought something like this would work
Special link, e.g. https://example.org/page#specialHashGivesAccess is sent to the right people by email. Email is considered secure enough for this purpose.
Javascript running on the page sends the secret to a server via ajax which checks it and returns a temporary hash instead.
Javascript does a window.location.replace to the page with the temporary hash.
The app then checks the temporary hash and if OK shows the content.
the temporary hash expires in a short while, or can be manually expired.
The original special link (1) is not in browser history.
Further more, the script that does this work; the app script and the ajax server, are remote. i.e. siteA that generates example.org/page has <script src="https://siteb.com/app.js"> and ajax is done using CORS.
However it does not seem reliable in my testing, I'm finding specialHashGivesAccess in my history.
Is there a way to achieve this?
It can't be done (at the time of posting this answer).
While there are many methods for manipulating the session history, it is not possible to prevent an entry being created in the global history, or to overwrite the first page load request stored there.
Therefore the solution I'm going to go with is along the lines of
Hi,
To access the service you can use the following link and password:
https://example.org/myApp
password: aabbccddeeff00112233
If nobody else uses your browser you can use the following shortcut link to save you entering the password, however note that this will give access to the service to anyone that has access to your browsing history.
https://example.org/myApp#aabbccddeeff00112233
I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php
I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.
What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?
If you just want the user to visit page.php before using api.php, the session is the way to go.
Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.
Otherwise, there are lots of authentication plugins for php.
http://www.homeandlearn.co.uk/php/php14p1.html for example.
You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable
Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.
Beware that people can alter their REFERER so its not secure.
Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html
Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.
Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).
I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.
Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.
I want force users to first click on some links and then go to a specific address. How can I terminate traffic sources that are direct in the second page? Or is there any way to only accept requests that are from specific a url?
Note: if there is something wrong, I want the page not to be viewable.
Thank you
What you could do is use the document.referrer property, and check weather or not the url matches the first page. Something like this, perhaps:
if (document.referrer !== 'http://www.google.com')
{
window.location.href = 'http://www.google.com';//redirect to first url
}
As Bergi pointed out in his answer: this kind of functionality is really better left to the server side. Though suggesting cookies is, as far as I'm concerned, not the ideal way of doing this, since cookies can be turned off client side, or WCS, tempered with.
Depending on which server side technology you're using, it might pay off to read up on all tools you have at your disposal to play with the request the user sends to your application, and take appropriate actions accordingly.
You should set a cookie in the first page that the user is allowed to view the second one.
Then your serverside application would check the cookies before delivering the second page, and otherwise redirect or show an error message.
You should not do such things via JavaScript (which includes the jQuery library), elsewhile everybody who disables JS could view the page.
I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.
This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.
Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:
if (top.location.protocol == 'file:') {
alert('This application is not designed to be accessed from a desktop copy...')
}
But this will only warn users that have saved the desktop copy since I have added this piece of javascript.
Has anyone else had this problem and come up with clever solutions that they'd like to share?
Thanks
Update:
In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.
If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).
Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.
I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.
Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?
Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.
Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.
You could probably check the http referrer on the server side and warn users not coming from your hosted login form.
Edit:
Actually, a vaguely similar question has been asked before and got a good explanation why referrer is not an ideal solution and also provides an alternative solution: How to check if a request if coming from the same server or different server?
Why, don't you, instead of the alert, put a redirect to your page?
window.location = 'http://www.yourdomain.com'
Or you can also force a reload with window.location.reload();
Instead of message you may redirect your user to the real page which has login form, or show the help box that will explain that user should save page in such way.
You could set a session variable that is set as a hidden variable in the form. If that is not there, you redirect to your login form.