PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Sep 20, 2019 10:42 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Hide URL in status bar
PostPosted: Fri Aug 10, 2012 12:07 pm 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301
Hello:

I'm rewriting my business site. There are a couple pages for prospects, clients, etc... But... I'm also creating a private area of the website for use with my business. It will give me the ability to access my database when I'm not in the office.

Because the business side of my website is private, the one link to that side is very subtle and "hidden" behind some copyright language. Of course there is always the chance a site visitor will hover over the copyright and see that they can click it. They will get to a login page with no other links.

However, currently, if a user hovers over the copyright language the address of my login page shows up in the browser status bar. I've tried the following:

Syntax: [ Download ] [ Hide ]
<a style="color: #405243"href="http://www.mysite.com/private/login.php" onmouseover="window.status='http://www.mysite.com'" onclick="window.status=''">mysite.com</a>.


The above does not change what is seen in the status bar. The full path to my login page shows up.

Does anyone know how to change what is seen in the status bar?

Thanks Much:

Pavilion


Top
 Profile  
 
PostPosted: Fri Aug 10, 2012 1:44 pm 
Offline
Forum Contributor
User avatar

Joined: Thu May 11, 2006 8:58 pm
Posts: 305
Location: Utah, USA
: "window.status has been disabled in most (if not all) browsers for security reasons".

You can't change it.


Top
 Profile  
 
PostPosted: Fri Aug 10, 2012 9:27 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
If your web server is Apache, a better way to protect your private page is to locate it in a subdirectory that uses an .htaccess file to require a username and password to gain access. Then you don't care if someone sees that there is a link, as long as they don't have the username and password.

Read: http://www.javascriptkit.com/howto/htaccess3.shtml and/or
http://www.htaccess-guide.com/password-protection/


Top
 Profile  
 
PostPosted: Sun Aug 12, 2012 6:30 pm 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301


Top
 Profile  
 
PostPosted: Sun Aug 12, 2012 7:32 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Except now you've removed all the good points of having an <A> link in favor of... well, nothing. If I do a View Source on the page I can very easily see where the link is going.

You're trying to fight against something that isn't even a problem. It wouldn't matter if you broadcasted to the entire Internet where that private login page is so long as the page itself is secure. You came here for advice, right? We're giving it to you. Take it.


Top
 Profile  
 
PostPosted: Sun Aug 12, 2012 9:16 pm 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301


Top
 Profile  
 
PostPosted: Sun Aug 12, 2012 10:47 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
I hear what you are saying and, coming from a database background, myself, I think I can appreciate your feelings, but believe me, just as database principles are foreign to those who lack database training, web development principles are altogether different from your experience. As a college instructor in both fields for many years, I assure you that clinging to your database experience frame of mind will impede your progress and learning. Surrender to the reality that you are working in a totally different environment and open your mind to new concepts as if you had never done any programming at all. Until, of course, your web project involves databases, then throw the switch and think like a database expert. That's my advice.

Now, I think in your situation, the relevant thing for you to do is ask yourself "What problem is it that I am trying to solve?" In re-reading your initial post, it seems to me that your problem was to prevent access to the "business" section of your website. Now that problem seems to have shifted somewhat, which is quite common, to hiding even the knowledge that such a section exists. If you are the only one who is going to use that section, why have a link on the public page at all? You could merely remember the name of the subdirectory and name your initial private page "index.html", since the authentication process of a .htaccess file handles the login, you don't need a login.html file at all. I have done that with a couple of protected "private" pages that only I ever use and it is very simple. Now this may not satisfy your specific needs, but my point is that it is crucial for you to identify the problem you are trying to solve. Just changing the problem slightly will often lead to quite a different solution.

There are other ways to redirect a request, using a .htaccess file, that would mask your destination path and filename, but I suggest that you consider whether simply not putting a link in your public page would meet your needs.


Top
 Profile  
 
PostPosted: Mon Aug 13, 2012 8:41 pm 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301


Top
 Profile  
 
PostPosted: Mon Aug 13, 2012 10:17 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
PostPosted: Tue Aug 14, 2012 6:08 am 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301


Top
 Profile  
 
PostPosted: Tue Aug 14, 2012 12:23 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Oh, OK, I didn't catch the connection between your remark "In the end, that is precisely what I did" and my suggestion. Good, I think that's probably appropriate for the particular situation you described.

And now that you have presented more background of what you're aiming for, it makes good sense for you to learn about web security practices in some depth. I am not the best person to offer advice in that area, but I hope that one of our security gurus will jump in here and give you some suggestions.

I understand the tricky situation with your client's IT department and have had a little experience with that kind of situation (I was an employee, outside IT) and, as you probably know quite well, it can be a treacherous situation. Internal politics can lead to some nasty confrontations and could even jeopardize your arrangements with the company. But that's something only you can evaluate.


Top
 Profile  
 
PostPosted: Tue Aug 14, 2012 8:44 pm 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301


Top
 Profile  
 
PostPosted: Wed Aug 15, 2012 4:39 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Web security is a largish field and it's not easy to cover it all in a meaningful way, so I'll focus on the most important points first:

1. Familiarize yourself with SQL injection and protection measures. The article in my sig is a good second article to read (after a general introduction if you need it) -- and make sure you play with the examples.

2. Use the principle of least authority: for your limited access (as I understand it - this is what you plan) web interface use a limited-privilege database user, so that even if compromised, you'd limit the "damage". Limit both access to tables and allowed operations.

3. Limit web access to the resource as much as possible - ip ranges, company VPN, whatever you can practically implement.

4. Get to know the generic websec problems out there so that you can at least identify if you're going to have a potential problem with something. File uploads, password hashing, XSS are the next big things to read on.

Asking more directed questions and providing code samples will help you further with clearing the details, but these are - in my view - the large points.


Top
 Profile  
 
PostPosted: Wed Aug 15, 2012 6:58 am 
Offline
Forum Contributor

Joined: Thu Feb 23, 2012 7:51 am
Posts: 301
Mordred - Thank you. You've provided me with much reading material. I'm sure I'll be back with questions, but first the reading and researching what I've read. :)

Thanks again - Pavilion


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group