Hide URL in status bar

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Hide URL in status bar

Post by Pavilion »

Hello:

I'm rewriting my business site. There are a couple pages for prospects, clients, etc... But... I'm also creating a private area of the website for use with my business. It will give me the ability to access my database when I'm not in the office.

Because the business side of my website is private, the one link to that side is very subtle and "hidden" behind some copyright language. Of course there is always the chance a site visitor will hover over the copyright and see that they can click it. They will get to a login page with no other links.

However, currently, if a user hovers over the copyright language the address of my login page shows up in the browser status bar. I've tried the following:

Code: Select all

<a style="color: #405243"href="http://www.mysite.com/private/login.php" onmouseover="window.status='http://www.mysite.com'" onclick="window.status=''">mysite.com</a>.
The above does not change what is seen in the status bar. The full path to my login page shows up.

Does anyone know how to change what is seen in the status bar?

Thanks Much:

Pavilion
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: Hide URL in status bar

Post by tr0gd0rr »

From Stack Overflow: "window.status has been disabled in most (if not all) browsers for security reasons".

You can't change it.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hide URL in status bar

Post by califdon »

If your web server is Apache, a better way to protect your private page is to locate it in a subdirectory that uses an .htaccess file to require a username and password to gain access. Then you don't care if someone sees that there is a link, as long as they don't have the username and password.

Read: http://www.javascriptkit.com/howto/htaccess3.shtml and/or
http://www.htaccess-guide.com/password-protection/
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

califdon wrote:If your web server is Apache, a better way to protect your private page is to locate it in a subdirectory that uses an .htaccess file to require a username and password to gain access. Then you don't care if someone sees that there is a link, as long as they don't have the username and password.

Read: http://www.javascriptkit.com/howto/htaccess3.shtml and/or
http://www.htaccess-guide.com/password-protection/
Hello Califdon:

Thank you for your suggestion. I checked with my hosting provider. They already had directory password protection capabilities set up. So, I followed your suggestion.

Still though, it only makes sense to NOT advertise that which you don't want people to know about. To that end, finding a way to hide the url of my private login link was necessary. I handled that problem by using jQuery.

Following is the html for my footer copyright:

Code: Select all

<span id="goToLogin" style="color: #405243">&copy 2012 </span>
The jQuery selector for #goToLogin

Code: Select all

	$('#goToLogin').click(function() {
	window.open('http://www.mysite.com/secure/login.php');
	});
Now... when a user passes his/her cursor over the copyright no url address shows up in the status bar. In addition, the cursor is set to text, so the user doesn't know it's a link. Of course if the copyright is clicked, then the user will see the url in the status bar, but it's moot at that point, because clicking the copyright takes one to the login page anyway. However - because of your suggestion, the added layer of password protecting the "secure" directory is also in place.

Thanks for your help.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Hide URL in status bar

Post by requinix »

Except now you've removed all the good points of having an <A> link in favor of... well, nothing. If I do a View Source on the page I can very easily see where the link is going.

You're trying to fight against something that isn't even a problem. It wouldn't matter if you broadcasted to the entire Internet where that private login page is so long as the page itself is secure. You came here for advice, right? We're giving it to you. Take it.
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

requinix wrote:Except now you've removed all the good points of having an <A> link in favor of... well, nothing. If I do a View Source on the page I can very easily see where the link is going.

You're trying to fight against something that isn't even a problem. It wouldn't matter if you broadcasted to the entire Internet where that private login page is so long as the page itself is secure. You came here for advice, right? We're giving it to you. Take it.
Hello Requinix -

Thank you for adding your voice to this discussion. I do appreciate it.

Over these past months I've taken a lot of good advice, from a lot of people. Celauran being my most frequent advisor. And I've learned much. However, even though php (and on-line programming in general) are new to me. I've 20 years of experience developing in a classical database environment. Maybe it is simply a matter of me adjusting to a different development environment - but that is going to take time. For now, I am going to have to take things "one step at a time".

It is a completely new concept to me that so much of my source code is open for anyone who knows how to get to it. From your perspective I'm trying to fight against something that isn't even a problem. From my perspective, I simply don't like advertising information others don't need. I'll trust pages and directories are secure, once I've had enough time programming in this environment to know I'm securing them properly. I've personally witnessed people hack into classical databases that were suppose to be "secure". If I've learned nothing else in the past 20 years it's that "secure" is a relative word and concept when it comes to databases.

I do appreciate your point (but please understand I have to take learning to develop in an on-line environment at a pace I'm comfortable with). I will continue to take advice when it is offered, but that advice will always be weighed against my own experience and level of comfort.

Thanks Much - Pavilion
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hide URL in status bar

Post by califdon »

I hear what you are saying and, coming from a database background, myself, I think I can appreciate your feelings, but believe me, just as database principles are foreign to those who lack database training, web development principles are altogether different from your experience. As a college instructor in both fields for many years, I assure you that clinging to your database experience frame of mind will impede your progress and learning. Surrender to the reality that you are working in a totally different environment and open your mind to new concepts as if you had never done any programming at all. Until, of course, your web project involves databases, then throw the switch and think like a database expert. That's my advice.

Now, I think in your situation, the relevant thing for you to do is ask yourself "What problem is it that I am trying to solve?" In re-reading your initial post, it seems to me that your problem was to prevent access to the "business" section of your website. Now that problem seems to have shifted somewhat, which is quite common, to hiding even the knowledge that such a section exists. If you are the only one who is going to use that section, why have a link on the public page at all? You could merely remember the name of the subdirectory and name your initial private page "index.html", since the authentication process of a .htaccess file handles the login, you don't need a login.html file at all. I have done that with a couple of protected "private" pages that only I ever use and it is very simple. Now this may not satisfy your specific needs, but my point is that it is crucial for you to identify the problem you are trying to solve. Just changing the problem slightly will often lead to quite a different solution.

There are other ways to redirect a request, using a .htaccess file, that would mask your destination path and filename, but I suggest that you consider whether simply not putting a link in your public page would meet your needs.
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

califdon wrote:Surrender to the reality that you are working in a totally different environment and open your mind to new concepts as if you had never done any programming at all. Until, of course, your web project involves databases, then throw the switch and think like a database expert. That's my advice.
Excellent advice, something I've been and telling myself repeatedly for months now. :D
Now, I think in your situation, the relevant thing for you to do is ask yourself "What problem is it that I am trying to solve?" In re-reading your initial post, it seems to me that your problem was to prevent access to the "business" section of your website. Now that problem seems to have shifted somewhat, which is quite common, to hiding even the knowledge that such a section exists. If you are the only one who is going to use that section, why have a link on the public page at all? You could merely remember the name of the subdirectory and name your initial private page "index.html", since the authentication process of a .htaccess file handles the login, you don't need a login.html file at all. I have done that with a couple of protected "private" pages that only I ever use and it is very simple. Now this may not satisfy your specific needs, but my point is that it is crucial for you to identify the problem you are trying to solve. Just changing the problem slightly will often lead to quite a different solution.
Yes - we agree. And, in the end, this is precisely what I did.

Now onto other security issues. As I mentioned earlier...
I'll trust pages and directories are secure, once I've had enough time programming in this environment to know I'm securing them properly.
So I've been doing some research and am interested in all of your input.

Firstly - what do all of you think of phpseclib?

Thanks much - Pavilion
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hide URL in status bar

Post by califdon »

Pavilion wrote:Firstly - what do all of you think of phpseclib?
I'll let someone else answer that. I have never used it.
califdon wrote:If you are the only one who is going to use that section, why have a link on the public page at all?
You didn't respond to the one specific suggestion I made. If you anticipate that you will be engaged in high security web development in the future, it may be to your advantage to study and experiment with sophisticated security measures and perhaps a library such as the one you referred to, but if your only purpose is to protect a section of your current website, my assessment is that you're trying to use a 16" naval gun to kill a mosquito. Since I don't know what your objectives are, I can't really offer any advice.

In general, I would tend to emphasize learning about the fundamentals of web security, rather than specific libraries. No matter how good a library may be, if it is used by someone who doesn't understand the fine points of security, it won't offer any protection at all because you may have a bank vault lock on the door, but leave the window wide open. If you understand the fundamentals, though, you can achieve a high level of security with or without somebody's version of a library. Disclaimer: I am NOT a security expert and could use additional knowledge, myself.
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

califdon wrote:If you are the only one who is going to use that section, why have a link on the public page at all?
You didn't respond to the one specific suggestion I made. [/quote]Califdon - Actually I did. I wrote, "Yes - we agree. And, in the end, this is precisely what I did." to your following suggestion:
You could merely remember the name of the subdirectory and name your initial private page "index.html", since the authentication process of a .htaccess file handles the login, you don't need a login.html file at all.
If you anticipate that you will be engaged in high security web development in the future, it may be to your advantage to study and experiment with sophisticated security measures and perhaps a library such as the one you referred to, but if your only purpose is to protect a section of your current website, my assessment is that you're trying to use a 16" naval gun to kill a mosquito. Since I don't know what your objectives are, I can't really offer any advice.
. I'm sorry, I should have clarified myself within the context of this conversation. I do anticipate the need for high security web development for at least one of my clients. Well known organization in my area, a several hundred employees, sensitive information and a need for high security. I've built (and maintain) their critical missions database. There are some things we want to do on-line that will give employees access to their data through the web. So... I want to learn how to handle security correctly. Just to really clarify here ... there is a high chance (above 50%) that we will NOT be working through their IT department. It is dysfunctional at best. The reason I've built their critical missions database is because the person in charge of decision making decided years ago that he couldn't wait around for IT, so he contracted with me on his departmental budget. He has the same attitude towards what we want to do on-line. The reason I bring this up is that he will try to work with their existing site, but if he can't get cooperation from the IT department he's willing to "go it alone" and have the site hosted with an independent hosting provider. If this is the route we end up taking, I can't use the security measures in place by their IT department. And that is why learning how to handle security properly is so important.
In general, I would tend to emphasize learning about the fundamentals of web security, rather than specific libraries. No matter how good a library may be, if it is used by someone who doesn't understand the fine points of security, it won't offer any protection at all because you may have a bank vault lock on the door, but leave the window wide open. If you understand the fundamentals, though, you can achieve a high level of security with or without somebody's version of a library. Disclaimer: I am NOT a security expert and could use additional knowledge, myself.
Understanding the basics is excellent advice. If you know of any good resources that I can study, please do link them. I'm willing to take the time to read, ask questions and learn here. I've done a bit of researching on-line. Trouble is that one can read a lot of different articles about on-line security and not really know if those articles are reflecting "best practice". That is part of the reason, I'm asking for feed-back here. Just having folks who know the ropes suggest articles and other references helps, because at least I'm being pointed in the right direction.

Thanks Much:

Pavilion
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hide URL in status bar

Post by califdon »

Oh, OK, I didn't catch the connection between your remark "In the end, that is precisely what I did" and my suggestion. Good, I think that's probably appropriate for the particular situation you described.

And now that you have presented more background of what you're aiming for, it makes good sense for you to learn about web security practices in some depth. I am not the best person to offer advice in that area, but I hope that one of our security gurus will jump in here and give you some suggestions.

I understand the tricky situation with your client's IT department and have had a little experience with that kind of situation (I was an employee, outside IT) and, as you probably know quite well, it can be a treacherous situation. Internal politics can lead to some nasty confrontations and could even jeopardize your arrangements with the company. But that's something only you can evaluate.
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

califdon wrote:Oh, OK, I didn't catch the connection between your remark "In the end, that is precisely what I did" and my suggestion. Good, I think that's probably appropriate for the particular situation you described.
Yes - you're right.
And now that you have presented more background of what you're aiming for, it makes good sense for you to learn about web security practices in some depth. I am not the best person to offer advice in that area, but I hope that one of our security gurus will jump in here and give you some suggestions.
I hope so as well. From my own database experience, I do understand the basic needs. I'm just not sure how to get ther, especially in an on-line environment. One of the reasons I initially asked about phpseclib is that in addition to the standard stuff (password hashing, data encryption, etc) it also handles sessions by using a session ID only once. The client I'm researching this for is a 24 hour operation and it's not unusual at all for employees of one shift to leave their computer sessions up when they change shifts. (It's been an on-going issue for years). So... I need to learn how to time out sessions and use tools that will make it harder to steal a session.

Any advice offered by the folks here would be greatly appreciated.
I understand the tricky situation with your client's IT department and have had a little experience with that kind of situation (I was an employee, outside IT) and, as you probably know quite well, it can be a treacherous situation. Internal politics can lead to some nasty confrontations and could even jeopardize your arrangements with the company. But that's something only you can evaluate.
Well, luckily I don't have to deal with the politics. The person who brought me on board heads up the division and he's handling all the politics. That said, I've several clients and most of the IT departments I work with are great. In general I've a lot of respect for the folks in IT, they're expected to know everything from hardware, through networking and into programming. The smaller the IT department, the more they're expected to cover. I'm lucky, I just get to focus on programming.

But this IT department is dysfunctional - it's the common problem of a leader setting a tone (and in this particular situation the tone is not very productive). Bottom line the division head I report to doesn't trust that a job will get done right if IT is involved. He's concerned about using the organization's website for a lot of reasons, one of which is security. He doesn't trust that folks in the IT department are taking all the precautions they should be taking. And speaking from personal experience with the classical database projects I've worked on, I've the same concerns. They don't know how to properly secure a classical database (and I assume those aren't as hard to secure as something on-line and open for the whole world to get to).

Which gives me all the more motivation to learn proper techniques of securing on-line databases.

Anyway califdon, thank you for your advice and council, it is appreciated.

Pavilion

P.S. Now that this topic has evolved from a specific question about Url's to a broader discussion about security, would it be possible for an Admin to move the topic to the PHP - Security forum? Thank you in advance.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hide URL in status bar

Post by Mordred »

Web security is a largish field and it's not easy to cover it all in a meaningful way, so I'll focus on the most important points first:

1. Familiarize yourself with SQL injection and protection measures. The article in my sig is a good second article to read (after a general introduction if you need it) -- and make sure you play with the examples.

2. Use the principle of least authority: for your limited access (as I understand it - this is what you plan) web interface use a limited-privilege database user, so that even if compromised, you'd limit the "damage". Limit both access to tables and allowed operations.

3. Limit web access to the resource as much as possible - ip ranges, company VPN, whatever you can practically implement.

4. Get to know the generic websec problems out there so that you can at least identify if you're going to have a potential problem with something. File uploads, password hashing, XSS are the next big things to read on.

Asking more directed questions and providing code samples will help you further with clearing the details, but these are - in my view - the large points.
Pavilion
Forum Contributor
Posts: 301
Joined: Thu Feb 23, 2012 6:51 am

Re: Hide URL in status bar

Post by Pavilion »

Mordred - Thank you. You've provided me with much reading material. I'm sure I'll be back with questions, but first the reading and researching what I've read. :)

Thanks again - Pavilion
Post Reply