i try to track all URL's as soon as a users click on a href and insert it to the oracle database, like a monitoring how many time this link has been used. What is the best way to do it? any idea/example to share? I'm new and trying to learn.. thank you so much for your help and support
Example:
stackoverflow<br>
GOOGLE<br>
<cfquery name="url" datasource="test">
insert into url (url, date) values ('#url#, sysdate)
</cfquery>
A common way of tracking outbound links is to send the user to a page that tracks the click, then redirects them to the desired page:
<a href="/outbound.cfm?redirectURL=https://stackoverflow.com">
Your outbound.cfm page would handle calling a function to insert the metadata into your DB, as well as the redirect. You can get the redirectURL via the attributes scope.
As a side note, you should never use a cfquery without using cfqueryparam. As written, your query would be vulnerable to SQL injection.
Related
I am making a simple crud operation in Spring and hibernate Project. when i click in edit my Url is edit/{id} and for update is update/{id}.The id is primary key,auto generated which was save in database like 1,2,3...
I want to know that id should be encoded or not in html page.Can anyone help me.
If you want to provide security
Encode the id use Base64.
Encoded id return to front
When click to edit the id will come to controller
Then you can easily decode it.
No need to encode the ID.
Its okay to keep it as it is.
If you are afraid of security then apply security on method or application level.
In some webpages or views, I have information displayed in table. Column values are rendered as links.
Problems:
When I hover over the link, it's URL is visible at the bottom of browser.
When I click on link, I show information for the resource requested in URL. (www.someurl.com/Employee/67 gives me information of employee with id = 67).
Now, this URL is displayed in browser. If you change URL to www.someurl.com/Employee/88, it shows information of employee with id = 88 though the logged in user is not supposed to see information for employee id 88
This are serious security breaches.
I am thinking of following as possible solutions:
URL masking at application level
Base64 encoding of URL to shorten and obfuscate it, so that users can't just throw values in the URL.
#Html.AntiForgeryToken() and ValidateAntiForgeryTokenValidation mechanism
Is there better and more secure approach other than above to solve this issue?
Check in Controller serving www.someurl.com/Employee/88 if currently authenticated user has access to Employee with ID 88 and throw exception if he does not - no need to mask url.
If the user is not supposed to be able to see the employee with the id of 88 then they should not be able to see the information for the employee with id 88. The URL is more or less irrelevant and is in your case only giving them an obvious clue as to how to gain unauthorised access to data in your system.
You need a proper security plan where data is only served from the database to the UI via the business layer if the logged in user if authorised to see that data.
Here is my idea about your first approach security breach:
Mix your id with some GUID or complex structure while sending it, and when you receive it, took out your id from this and then proceed. [ Your masking idea]
I provide sessionstate in my web.config file like this
sessionstate mode="InProc" cookieless="UseUri
That way each tab generates a new unique session ID in the URL with the format like this :
http://www.domain.com/(S(kbusd155dhzflbur53vafs45))/default.aspx
It worked, but when I copy the url and paste it on another tab then the previous session value is inheriting. How can I solve this issue? Is there anyother method to solve issue?
A possible solution to this situation would be issue a ticket (guid or seomthing like that) in each response you write to the client. In the request the client would send this ticket and the server would 1) Check to see if it is valid and 2) Invalidate it so just one request (the original one) could be made with it. This way your user wouldn't be able to take advantage of new tabs or even copy/paste of URLs.
If the user pastes a URL containing an existing session token into a new tab, your application cannot possibly know that this is a new tab and not an existing tab. I'm afraid that short of some hacky browser plugin there isn't much you can do about this.
I'm trying to post the entire asp.net form to a certain url.
I have tried:
$.post("http://www.someaddress.com", $("form").serialize());
I have also tried:
$.ajax({
type:"POST",
url:"http://www.someaddress.com",
data: $('form').serialize(),
success: function(){
alert('yay');
}
});
In both cases the submit is fine but no data is passed along with it.
When i test the form.serialize() in firebug console, this shows my form serialized just fine. When i view the submit in fiddler, i can see that the data part is not set. Maybe im not understanding the data part, but every single tutorial shows this as the way to go -> serialize the form and set that as data. What must i do to get my serialized form as the data in my request?
What am i missing? Also - why does the NET tab in firebug show all these requests as method OPTIONS?
is this
url:"http://www.someaddress.com"
just an example or do you try to access a foreign domain? (which would explain the problem).
Based on your comment, the ajax same origin policy does not allow to access a foreign domain.
You cannot do a Ajax request to a foreign domain. As this is not allowed (against security) in javascript to access a foreign page ( not on your domain )
For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this:
http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe
Can anybody help me with some hints about the proper generation of those validation tokens? Googling best practices turned out to be more difficult than I though it would be. The links should:
... not require the user to log in first.
... not reveal any login credentials to keep the application secure
... allow me as a developer to efficiently validate the token. I'm pretty sure I need a way to extract the user identifier out of the code to meet this criteria. Don't I?
Furthermore, would you go for a random code, which is saved somewhere, or a generated code which I can recalculate for validation?
Thanks for any replies!
Matthias
P.S. I'm working with ASP.NET 3.5, in case there's an out-of-the-box feature to perform this.
Some suggestions to get you started:
Use GUIDs
Use some sort of salted hash (MD5, SHA1, etc)
Use a random string of characters (the more characters the less likely you'll have collisions)
Store it in a database temporarily, and timestamp it so that it expires after a certain period of time
The simplest way to do it is generate a GUID, store that in the database tying it to their user account and then give them a time-frame within which to click a link with that GUID in.
That validates they are the correct person without making the URL calculable whilst making it resistant to dictionary style attacks.
I construct the hash in a way that can be re-created:
code = MD5( my_hash + user_email + register_timestamp )
Then send a link to http://example.com/validation/?code = 4kj34....
Validation does a lookup like:
SELECT id
FROM users
WHERE
MD5( CONCAT( my_hash, user_email, register_timestamp ) ) = code
AND activated = 0
If you get a single result, update their 'activated' field and sign them in. You can also do some math on their 'register_timestamp' field for a poor man's TTL
I would probably use a Guid. Just create a Guid (by calling Guid.NewGuid()), store it as the validation token for that user, and include it in the validation link.