detecting page that the client visits after their site - web-analytics

(Correct me if I'm wrong.) A server host can detect the pages that a visitor goes to before and after they visited the host's site.
To what extent can a server host receive information on what sites their client visits before and after the visit to the present page?

There are probably two ways of doing this, which both serve different purposes:
If a user clicks a link on another page to go to your page, the page they came from (the referrer) will be sent in the Referer (sic) HTTP header. (See the HTTP specification.)
Most web frameworks and web-oriented languages provide an easy way to access this value, and most web analytics tools will process it out of the box. (Specifically how you go about getting at this value depends on what tools you use.) There are three caveats, though:
This header can be turned off in the settings on most browsers. (Most users don't do this, but a few tech-savvy and privacy-conscious users might.)
This only works if the user clicks a link. If the user types in the web address manually, the header won't be there.
You can only see one page immediately before the visit to your site.
If you want to see where a user travels across pages which you control, you can do this by setting a cookie with a unique value per visit, and storing each page load.
Like the above one, how you go about doing this depends on what tools you use, and there are a few caveats:
Like the Referer header, some tech-savvy and privacy-conscious users like to browse with cookies switched off.
Obviously, you can only see visits to pages that you control yourself (and that you can set cookies on).

Related

How to remove the address bar on non-Secure http page

I try to remove the address bar on EDGE Win10,
I can remove the address bar by installing a test page as an EDGE app,
but if the page is non-secure HTTP the address bar remains.
As you can see in this test:
test with HTTP and HTTPS
How can I prevent EDGE to insert the non-Secure warning / address bar within specific HTTP contents?
Please note that HTTP content is inside INTRANET as web applications.
I should try regedit first to design the policy later.
Please could you help me about?
You can't hide the address bar in any way if it's through Group Policy or the registry. Also, it is not recommended to do it. Users should see what URL they are browsing. Otherwise, it may cause security issues.
If a website doesn't have a valid certificate. The information sent to and from it is not secure and can be intercepted by an attacker or seen by others. There's a risk to your personal data when sending or receiving information from this site. In my opinion, users should know if a site is at risk to decide whether to continue accessing it. Otherwise,as mentioned above, it may cause security issues.
Therefore I don't think your requirement can be achieved. Maybe you could refer to this doc: Securely browse the web in Microsoft Edge

Why should response caching be disabled for authenticated clients

I am currently working on a website which provides a personalized timetable for each employee in a specific company, this timetable will internally update every five minutes. When opening the website you can just use a normal pager to look at all of the weeks.
At some point I noticed that the user behaviour shows, that people click between weeks a lot and visit the same page (of the pager) multiple times in even a minutes. I thought it would be a good idea to cache this individual pages for lets say 2,5 minutes.
Since this web app is powered by ASP.Net Core, I visited the MSDN about caching which states the following:
Disable caching for content that contains information for authenticated clients. Caching should only be enabled for content that doesn't change based on a user's identity or whether a user is signed in.
I know that this is just a warning, but why is there the need of a warning? Is there any reason why this would be bad, besides the fact that specific data could be 'out dated'?
I found the answer the question with the help of #Eilon, who linked me to this GitHub issue. Which provides a simple example. In a few words, it is all about, that a different authenticated user could possibly get a cached response which contains information about another authenticated user. Since this can be controlled and sometimes it won't even matter, it is only a warning in the MSDN.

How is CORS safer than no cross domain restrictions? It seems to me that it can be used maliciously

I've done a bit of reading on working around the cross domain policy, and am now aware of two ways that will work for me, but I am struggling to understand how CORS is safer than having no cross domain restriction at all.
As I understand it, the cross domain restriction was put in place because theoretically a malicious script could be inserted into a page that the user is viewing which could cause the sending of data to a server that is not associated (i.e. not the same domain) to site that the user has specifically loaded.
Now with the CORS feature, it seems like this can be worked around by the malicious guys because it's the malicous server itself that is allowed to authorises the cross domain request. So if a malicious script decides to sending details to a malicious server that has Access-Control-Allow-Origin: * set, it can now recieve that data.
I'm sure I've misunderstood something here, can anybody clarify?
I think #dystroy has a point there, but not all of what I was looking for. This answer also helped. https://stackoverflow.com/a/4851237/830431
I now understand that it's nothing to do with prevention of sending data, and more to do with preventing unauthorised actions.
For example: A site that you are logged in to (e.g. social network or bank) may have a trusted session open with your browser. If you then visit a dodgy site, they will not be able to perform a cross site scripting attack using the sites that you are logged in to (e.g. post spammy status updates, get personal details, or transfer money from your account) because of the cross domain restriction policy. The only way they would be able to perform that cross site scripting attack would be if the browser didn't have the cross site restriction enabled, or if the social network or bank had implemented CORS to include requests from untrusted domains.
If a site (e.g. bank or social network) decides to implement CORS, then they should be sure that it can't result in unauthorised actions or unauthorised data being retrieved, but something like a news website content API or yahoo pipes has nothing to lose by enabling CORS on *
You may set more precise origin filter than "*".
If you decide to open your specific page to be included in another page, it means you'll handle the consequences.
But the main problem cannot be that a server can receive strange data : that's nothing new : everything that is received by a server is suspect. The protection is mainly for the user which cannot be abused by an abnormal composition of sources (the englobing one being able to read the englobed data, for example). So if you allow all origins for a page, don't put inside data that you want to share only with your user.

SSL: use on any page or just on login and several more forms?

OK, I thought SSL certificate should be used on the pages that have some sensitive information displayed and on the login page, change password pages and so on.
But, on this thread SSL Certificate. For which pages? that was opened about 6 months ago, the best recommendation according to votes was to use ssl certificate for absolutely all pages on the web-site, even for the About page. Well... If you have a news web-site and some users have a login page and pay for advanced subscription, but you are among that users, do you read news with ssl certificate? :)
1) The first question: I've never seen a web-site with http on the About page. Can I doubt that recommendation is the best one?
2) The second question: Why doesn't Ebay follow that rules to have https connection on every page? I see they show ssl certificate only at the login page and never before you log in. After you log in, you see http, not https. What's their point?
3) If you actually have page A for guests and page B for logged in users and page C as a "sign in page" and page "D" as registration, would you recommend to use ssl for page B,C,D, but not for A?
Thank you.
SSL flows both ways. You need to worry not only about the secrets transmitted from server to client, but also about the secrets transmitted from the client to the server. Amongst other things, the latter group includes commonly used client identification mechanisms like basic authentication headers, authentication cookies, and session cookies for authenticated sessions. It is possible to set things up so that such information is not transmitted from the client for certain pages, in which case it becomes safe to load them over HTTP. However, the mechanisms for doing can be complex to maintain and require strict and ongoing auditing. Unless you are willing to make that effort, you should be using HTTPS for all pages that an authenticated user can possibly visit.
I haven't read what was said on that link, but I wouldn't agree. SSL does have a performance hit, so using it for everything, just because you can, wouldn't make any sense. As with everything else in technology, use it sparingly.

What's your favorite cross domain cookie sharing approach? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I see iframe/p3p trick is the most popular one around, but I personally don't like it because javascript + hidden fields + frame really make it look like a hack job. I've also come across a master-slave approach using web service to communicate (http://www.15seconds.com/issue/971108.htm) and it seems better because it's transparent to the user and it's robust against different browsers.
Is there any better approaches, and what are the pros and cons of each?
My approach designates one domain as the 'central' domain and any others as 'satellite' domains.
When someone clicks a 'sign in' link (or presents a persistent login cookie), the sign in form ultimately sends its data to a URL that is on the central domain, along with a hidden form element saying which domain it came from (just for convenience, so the user is redirected back afterwards).
This page at the central domain then proceeds to set a session cookie (if the login went well) and redirect back to whatever domain the user logged in from, with a specially generated token in the URL which is unique for that session.
The page at the satellite URL then checks that token to see if it does correspond to a token that was generated for a session, and if so, it redirects to itself without the token, and sets a local cookie. Now that satellite domain has a session cookie as well. This redirect clears the token from the URL, so that it is unlikely that the user or any crawler will record the URL containing that token (although if they did, it shouldn't matter, the token can be a single-use token).
Now, the user has a session cookie at both the central domain and the satellite domain. But what if they visit another satellite? Well, normally, they would appear to the satellite as unauthenticated.
However, throughout my application, whenever a user is in a valid session, all links to pages on the other satellite domains have a ?s or &s appended to them. I reserve this 's' query string to mean "check with the central server because we reckon this user has a session". That is, no token or session id is shown on any HTML page, only the letter 's' which cannot identify someone.
A URL receiving such an 's' query tag will, if there is no valid session yet, do a redirect to the central domain saying "can you tell me who this is?" by putting something in the query string.
When the user arrives at the central server, if they are authenticated there the central server will simply receive their session cookie. It will then send the user back to the satellite with another single use token, which the satellite will treat just as a satellite would after logging in (see above). Ie, the satellite will now set up a session cookie on that domain, and redirect to itself to remove the token from the query string.
My solution works without script, or iframe support. It does require '?s' to be added to any cross-domain URLs where the user may not yet have a cookie at that URL. I did think of a way of getting around this: when the user first logs in, set up a chain of redirects around every single domain, setting a session cookie at each one. The only reason I haven't implemented this is that it would be complicated in that you would need to be able to have a set order that these redirects would happen in and when to stop, and would prevent you from expanding beyond 15 domains or so (too many more and you become dangerously close to the 'redirect limit' of many browsers and proxies).
Follow up note: this was written 11 years ago when the web was very different - for example, XMLhttprequest was not regarded as something you could depend on, much less across domains.
That's a good solution if you have full-control of all the domains backend. In my situation I only have client (javascript/html) control on one, and full-control on another, therefore I need to use the iframe/p3p method, which sucks :(.
Ok I seem to have found a solution, you can create a script tag that loads the src of the domain you want to set/get cookies on... only safari so far seems not to be able to SET cookies, but Ie6 and FF work fine... still if you only want to GET cookies, this is a very good approach.
The example in that article seems suspicious to me because you basically redirect to a url which, in turn, passes variables back to your domain in a querystring.
In the example, that would mean that a malicious user could simply navigate to http://slave.com/return.asp?Return=blah&UID=123" and be logged in on slave.com as user 123.
Am I missing something, or is it well-known that this technique is insecure and shouldn't be used for, well, things like that example suggests (passing user id's around, presumably to make one's identity portable).
#thomasrutter
You could avoid having to manage all outbound links on satellites (via appending "s" to querystring) by making an ajax call to check the 'central' domain for auth status on page load. You could avoid redundant calls (on subsequent page loads) by making only one per session.
It would be arguably better to make the auth check request server-side prior to page load so that (a) you have more efficient access to session, and (b) you will know upon page render whether or not the user is logged in (and display content accordingly).
We use cookie chaining, but it's not a good solution since it breaks when one of the domains doesn't work for the user (due to filtering / firewalls etc.). The newer techniques (including yours) only break when the "master" server that hands out the cookies / manages logins breaks.
Note that your return.asp can be abused to redirect to any site (see this for example).
You also should validate active session information against domains b,c,d,... this way you can only login if the user has already logged in at domain a.
What you do is on the domain receiving the variables you check the referrer address as well so you can confirm the link was from your own domain and not someone simply typing the link into the address bar. This approach works well.

Resources