Hiding URL in Address Bar
Is it possible to keep a URL from displaying in the address bar? I ask because we are using a new system for employees to log in their time worked and we don't want them to be able to see the URL so they can dishonestly log in from home when ill.
teammatt3 posted this at 21:39 — 8th November 2006.
He has: 2,102 posts
Joined: Sep 2003
You're in Portland? That's cool, I live right across the river in Vancouver.
I don't think there is a way to do that (thank goodness.) That would really make things bad; imagine what phisher could do with something like that. An alternative would be to record the ips of the computers in the office, and only allow those addresses access to the website. Or you could setup an intranet.
Busy posted this at 21:55 — 8th November 2006.
He has: 6,151 posts
Joined: May 2001
You could use a frame (99/1) but if they know how to right click (or from the tool bar), they would be able to find teh address. I'd go with the intranet idea
Dami posted this at 23:03 — 8th November 2006.
She has: 88 posts
Joined: Sep 2001
The company that will be hosting the timesheet is not owned or accessible by us. I'm already using our company intranet for the link. Unfortunately, I don't have control over the look and feel of the timesheet page and the way it's set up would be confusing for our employees with it inside our intranet frames.
Thanks for replying! If/when I find another solution, I'll post it.
DDoSAttack posted this at 00:52 — 9th November 2006.
He has: 38 posts
Joined: Oct 2006
What do you mean by hide it?
Also why not hold the company that handles the software responsible for accounting when and where the employees log in and out from.
Dami posted this at 14:46 — 9th November 2006.
She has: 88 posts
Joined: Sep 2001
I don't want users to see/copy the URL so they can dishonestly log in and indicate they're working when they're not, i.e., when on vacation or home ill. As for making the service company responsible, I don't know if that's an option. I'll bring it up to HR and see if that is part of the service we're buying.
Thanks, everyone, for mulling this one over!
FrankR posted this at 16:16 — 9th November 2006.
He has: 45 posts
Joined: Oct 2006
Hey Dami:
While it might seem that hiding the URL is a fast way to prevent fraud with your time tracking system, that is the wrong way to do it! Relying on obscurity to protect your application is a loosing proposition against insider fraud and outsider attacks.
If people are only supposed to use the application from work, why not restrict it by IP address using a tailored firewall rule? Also, do you know for certain that the company that developed and is hosting the timesheet application paid close attention to security risks? Do you host other sensitive information with them?
For example, consider SQL injection attacks against web applications. They are very common and can lead to complete information disclosure from the majority of sites today. Attackers even use Google to locate potential victims. There is a threat and you are at risk.
The point of this post is to give you a push in the right direction to become an informed customer for business software that is accessible online. I advise against focusing on hiding the URL and instead focusing on putting strong access control in place and making sure that your system is audited for security vulnerabilities. Hold the software vendor responsible and don't let them slip one past you.
Frank
Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.
Dami posted this at 18:37 — 10th November 2006.
She has: 88 posts
Joined: Sep 2001
Frank, thank you for your very interesting comments. The company that provides the software and the hosting do all of our Human Resources/Payroll management, too, so I'm very sure that they're aware of security risks. I realize this problem of hiding the URL isn't the most secure way of maintaining the time sheet. However, that company doesn't seem to think that dishonest people might try to log in from home, so they have no intention of securing the directory from outside IP addresses. I don't know the underlying networking setup that might be in place for other services/access we buy from them, so that may be part of the issue.
Again, thanks for your thoughts!
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.