The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Post Secure Link
TracyL
post Nov 4 2017, 02:18 PM
Post #1





Group: Members
Posts: 2
Joined: 4-November 17
Member No.: 26,526



I currently have a membership site setup once someone logs in it takes them to a page where they click on a button that is setup as:
<form action="http://www.xxx.com/" method="POST">
<input type="hidden" name="siteid" value="xxxxx">
<input type="hidden" name="theme" value="standard">
<button type="submit" style="border:0px;background-color:#FFF;color:blue;text-decoration:underline;cursor:pointer;">Get Access</button>

The link that they are going to is a part of our website and owned by us but not hosted by us. We use Post so that someone can't just copy the full URL and get access without coming through the membership login. The membership portion of the site is through WordPress.

We have a corporate client that wants to provide a link to all of their employees so that they can bypass having to register to get access. My thought is to provide them with a link so that when employees click on the link it does a redirect and takes them directly to end page. Is there a way to do this? Provide a link and then that page redirects via the same type of Post Secure as above?

Thanks!
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Nov 4 2017, 05:25 PM
Post #2


.
********

Group: WDG Moderators
Posts: 7,728
Joined: 10-August 06
Member No.: 7



QUOTE(TracyL @ Nov 4 2017, 08:18 PM) *

I currently have a membership site setup once someone logs in it takes them to a page where they click on a button that is setup as:
<form action="http://www.xxx.com/" method="POST">
<input type="hidden" name="siteid" value="xxxxx">
<input type="hidden" name="theme" value="standard">
<button type="submit" style="border:0px;background-color:#FFF;color:blue;text-decoration:underline;cursor:pointer;">Get Access</button>

You mean they first log in (how?), and after that have to click the submit button in the form above, which takes them to www.xxx.com?

QUOTE
The link that they are going to is a part of our website and owned by us but not hosted by us. We use Post so that someone can't just copy the full URL and get access without coming through the membership login.

Hiding a URL in a POST form is not very secure: anyone can simply view source, and once the form is submitted the URL becomes visible in the browser's address bar anyway. And if the user has already logged in, why the need to hide the URL from him in a POST form?

QUOTE
Is there a way to do this? Provide a link and then that page redirects via the same type of Post Secure as above?

Yes, but again it's not secure at all, since any of the employees could share the URL with anybody. It's also quite possible that the URL ends up in a search engine one way or another.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Nov 5 2017, 04:24 AM
Post #3


.
********

Group: WDG Moderators
Posts: 7,728
Joined: 10-August 06
Member No.: 7



QUOTE(Christian J @ Nov 4 2017, 11:25 PM) *

You mean they first log in (how?), and after that have to click the submit button in the form above, which takes them to www.xxx.com?

Maybe it works like this: after logging in, their login id (password?) is stored in the hidden form field. Then when the form is submitted, this hidden field value is sent to the other site www.xxx.com where again it's used as a login.

QUOTE
Is there a way to do this? Provide a link and then that page redirects via the same type of Post Secure as above?

You could give the employees the same form as above, with the hidden field id prefilled. But if the form is on a public page, anyone can see the id by looking at the source. Maybe you could put the form in emails sent to employees in order to limit the number of people that may examine it.

You might also use an ordinary link URL with a querystring, say www.xxx.com/login.php?id=1234321, which (if the id is correct) could make www.xxx.com/login.php set a session cookie in the employee's browser, and then redirect to www.xxx.com (where the cookies is used as credential, similar to the hidden form field value). If the links are only distributed by email you might limit the number of people seeing them, but anyone viewing the email can of course copy the link.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
TracyL
post Nov 5 2017, 07:24 AM
Post #4





Group: Members
Posts: 2
Joined: 4-November 17
Member No.: 26,526



Sorry - I'm a newbie and probably didn't explain it correctly. Let me see if I can explain it better. The other site is a white label solution that was customized for us - we do not handle any of the coding or tech side of that software. We are told by them that in order to mask the URL so that someone can't just type it in we need to use a Post Secure link:

<form action="http://www.xxx.com/" method="POST">
<input type="hidden" name="siteid" value="xxxxx">
<input type="hidden" name="theme" value="standard">
<button type="submit" style="border:0px;background-color:#FFF;color:blue;text-decoration:underline;cursor:pointer;">Get Access</button>

So what we do is have each individual register and login to our site. Once they are logged in they click on the button that says "Get Access" and it takes them to our white label site. If someone tries to just type in the main portion of the URL to gain access then a message comes up telling them that they have to log in to gain access.

Technically I guess someone could look at the source code and figure out the link but I highly doubt that they would do that and most people wouldn't know how to. Plus they would still have to be registered and login in order to do that. And even if they did and typed it in I'm not sure they still wouldn't be able to gain access.

Our client has a backend site that their employees log in to in order to gain access to their benefits. They have our information listed and then a button to take them to our site. Their site only allows this button to have a URL - they would have to bring in their developers to change this in order to the Post Secure that we do. So I could technically just bypass the login and take them to the page with the button to Gain Access but they I open myself up to Google finding that page and listing it. I was hoping that I could just set that same page up with a redirect where I can do the Post Secure. But not sure if that is even feasible to do.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Nov 5 2017, 10:38 AM
Post #5


.
********

Group: WDG Moderators
Posts: 7,728
Joined: 10-August 06
Member No.: 7



QUOTE(TracyL @ Nov 5 2017, 01:24 PM) *

Our client has a backend site that their employees log in to in order to gain access to their benefits.

Can't they use the same Get Access form as on your own site?

QUOTE
Their site only allows this button to have a URL

Didn't understand that part. Why not?

QUOTE
- they would have to bring in their developers to change this in order to the Post Secure that we do.

That sounds like the easiest solution.

QUOTE
I was hoping that I could just set that same page up with a redirect where I can do the Post Secure. But not sure if that is even feasible to do.

You might use javascript to submit the "Get Access/Post secure" form automatically when the form page loads. Other than that, I don't think you can redirect a POST form submission without first submitting it manually a second time.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 18th November 2017 - 10:43 AM