|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
You don't need a fax machine to get faxes. Get a fax-to-email fax number from CallWave. Try it free.
|
|
#1
May 14th, 2004, 11:42 PM
|
||||
|
||||
Application Security
Ok here's the situation
 I like many, created a link to a page with no browser, no scrollbars, no statusbars, etc. Why? To prevent people from sticking their nose in certain areas of my application. The problem is that for about 4-10 seconds the url is displayed in the top portion of the page. Anybody curious enough can open a new window and type in what they saw giving them the page with toolbars, scroll, navigation, statusbar, etc. I know i cant prevent this, but ive seen a script that detects when the person does this and displays a popup that says "The web page you are viewing is trying to close the window, Do you want to close this window?" If the client clicks NO it will keep on appearing indefinately, hence preventing them from doing anything until they click yes, therefore closing the window. I need that script. It might be CF or maybe even a stupid Javascript, but i desperatly need it. Any help is appreciated. PS. In case you need the no scrollbar, no navigation, etc. script here it is.  <a href="YOURPAGE.cfm" onmouseover="window.status='What you lookin at';return true;" onmouseout="window.status='YOUR COMPANY';return true;" onClick="window.open('YOURPAGE.cfm', 'window', 'window,width=800,height=550,left=0,top=0,scrollbars=yes,history=no,resizable=no,status=no,toolbar=n o,location=no,menubar=no,') ; return false"><img border="0" src="images/YOURIMAGE.jpg" width="95" height="31"></a><img border="0" src="images/YOURIMAGE.jpg" width="245" height="31"></td> If you have any ideas id welcome them 
|
|
#2
May 15th, 2004, 02:33 AM
|
||||
|
||||
Nevermind I figured it out
Never mind i figured it out all by myself
 *cough* yeah i know i'm bad.  What? What, was that?  You want to know how i did it, so you can reap the benefits of my hard work? Well there's nothing more american than that, so in spirit of developer's helping eachother, here it is. Of course if your going to use this code don't alter the credits plz. What? Did i hear you laughing, what was that? the internet is really big and ill never find out that u erased my name off my script? Yeah your probably right, but Ce la vi.  Stick this part in your <Head> tag Code:
<script language="JavaScript">
<!---
Script provided by Alas
Wickedwd.com
You're a dork if you erase my name :p
--->
function getPermission(theobject) {
return window.confirm("Wickedwd.com" + theobject + "???")
}
this.focus();
function openModule(modtemplate,winname)
{
application = open(modtemplate,winname,"status=0,scrollbars=yes,navigation=no,resizable,height=600,width=800")
}
function starttimer()
{
newtimer = setInterval('checkforhome()',1000);
}
function checkforhome()
{
if (!window.opener)
{
this.close();
} else
if (window.opener && window.opener.closed)
{
this.close();
}
}
</script>
Stick this part in your <Body> tag Code:
<body onload="starttimer()" leftmargin=0 topmargin=0 rightmargin="0" bottommargin="0"> This is dedicated to Kiteless that as you can see goes out of his way to help other developers. PS. hey i'm still having problems creating a reservation system the specifics are posted in my beg for help 13 threads below this one. Please help me out if you can. What im looking to create is exactly what can be found at http://www.ciecpr.com/schedule/index.htm PSS. Don't say i never gave you guys anything. PSSS. What? I just gave you a javascript in a coldfusion forum you say? Well, bite me.  PSSSS. What the hell does PS. stand for anyways?! No seriously if you know post it, ive always wondered. Check you later, Alas PSSSSS. If anyone plays America's Army my clan is recruiting @ www.e-magpr.com/eclan Last edited by Alas : May 15th, 2004 at 02:37 AM.
|
|
#3
May 15th, 2004, 11:16 AM
|
|||
|
|||
|
Alas, keep in mind that this solution is only obfuscating. In other words, someone can turn Javascript off or open the page in another standard browser window, etc. Thanks for the dedication too.
|
|
#4
May 16th, 2004, 12:16 AM
|
||||
|
||||
Seriously?!
Seriously?!
 You can turn of Javascripts! How?! And how can i prevent it?But in reference to opening a new browser window that's what the code prevents. The message to close shows up if your in a window with navegation, the window i want them in doesn't have any, so if they play nice and don't try to go Matrix on me and try to copy paste the url into a new window then they wont get the close message. What? they can put it on their favorties or desktop?! Kind of hard when i put in a script to disable right-clicking> If you have a better way to prevent url copy pasting into a new window, im open to suggestion PS nobodys answered my question of what the hell PS stands for. check u later Alas PSS what is obfuscating? PSSS Kiteless do you work for devshed, i ask cause u answer quite a lot of questions and my name says registered user while yours displays moderater, just curious.  PSSSS Your welcome Last edited by Alas : May 16th, 2004 at 12:20 AM.
|
|
#5
May 16th, 2004, 04:44 AM
|
|||
|
|||
|
PS = Post Script
|
|
#6
May 16th, 2004, 10:48 AM
|
|||
|
|||
|
Yes, you can turn off Javascript. Anyone can. So relying on Javascript for anything is a very risky approach. There is no way to prevent the user from disabling Javascript if they choose to. Javascript is nice for manipulating forms, doing form validation, controlling DHTML, etc. But it is only that: a helper. Anything important MUST be checked/handled on the server side as well, so that it doesn't matter if the user has disabled Javascript.
To be blunt, there is no way you can stop someone who wants to from opening a new browser window and pasting a URL there. Obfuscate: To make so confused or opaque as to be difficult to perceive or understand: “A great effort was made... to obscure or obfuscate the truth”. No, I don't work for Devshed (well, they don't pay me), but I am a moderator and thus have the ability to delete threads, ban users, move threads, etc.
|
|
#7
May 16th, 2004, 02:44 PM
|
||||
|
||||
Back 2 Square 1
Ok then with the new info. this is my predicament
The application has a home page people click on login then a window opens like a popup without navegation etc. here they type in their username and password that begins a session and takes them to a form that will insert data in the same row as their username and password in the database. The problem lies that if that person is moronic enough to use a public computer the history or the navagation will autocomplete itself and will show anyone curious enough www.theform.cfm?CFID=3206CFTOKEN567987 This means that someone can trespass into someone else's account and see their information (they cant change it because the session is over and they havent logged in, but they can see it, and that's bad.) I thought id be slick and hide the url bar, but it stays in the history anyway even though in the javascript i put history=no. So question is how do i prevent someone from going to a member page on a public computer?PS no not what does PS stand for in CF script, what does PS stand for in letters that people write to eachother. But thanks for the response.
|
|
#8
May 16th, 2004, 05:02 PM
|
|||
|
|||
|
If your concern is that a user at a puclic machine can have some later user look at the info in the cache, you should look into the META tags that control caching.
PS does mean "Post Script", you know, like "After the script...after the main text...".
|
|
#9
May 17th, 2004, 10:33 PM
|
||||
|
||||
Thanks again Kiteless
I think you might be on to something, i cant work on it for a couple of days cause of finals, but when i do and if your cache idea works i owe you a beer. In the mean time if anyone already has the script i wouldn't mind a copy paste solution.
check you later Alas PS im guessing the cfflush tag would be used at top and bottom of page so that even though page goes to history it is resubmitted to server everytime therefore requiring the login i have implemented in Aplication.cfm. PSS If anyone needs the auto require username password script just ask, i dont write it now out of laziness, but if u need it i will.
|
|
| Viewing: Dev Shed Forums > Programming Languages - More > ColdFusion Development > Application Security |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
