Change from url parameter so nothing in URL line

[seanh]

I currently have a webserver that passes parameters on the url.  i now need to change that to make it harder for people to just type something one the address line of the browser.
I haven't done web stuff for months so I'm rusty.
Whats the best way to acheive this?

[Bruce]

Hi Sean,

>> I currently have a webserver that passes parameters on the url. 
>> I now need to change that to make it harder for people to just type something on the address line of the browser.

Context is going to matter a lot. So I guess, let's start at the beginning.
Firstly;

>> I currently have a webserver that passes parameters on the url. 

What sort of URL's are you seeing in the browser address bar? What are you clicking on that gives you these requests? (ie is it a menu item, a browse button, form button, custom link or something else etc?

Cheers
Bruce

[seanh]

Hi Bruce
Yeah, I should know better and provide more info eh

Current url from a menu:
http://localhost:8888/searchMEDAL_Info?Medal=6283&btype=roster

This brings up a roster where there are buttons to select differing view. The buttons set the Medal and btype (Button type) and display the appropriate view.  The url does not change pressing the buttons.

The problem is they now want the medal and btype not in the url, the staff have found you can just type whatever you want there and get the appropriate view. 
That was fine initially, but hey things change.  Now it's not fine.  sigh.

I'm just not 100% sure how to go about this. 
I "think" I should be able to set values somewhere to do this. (but can't find where on a menu) But I also "think" that might not stop the typing thing from continuing to work.

Help is appreciated

[Bruce]

Hi Sean,

I suspect you are using an auto-numbered value in Medal right? So by exposing the number you are actually exposing all the other medals as well - because I can try ?Medal=6284, ?Medal=6285 and so on.

This is a common flaw in database design which is especially poor under auto-inc, and has lead to some rather high-profile data attacks over the years.
Also passing unique ID's on the command line like this can lead to data leakage, because this request is stored in logs etc. So using "real" values is problematic.

To avoid all this unpleasantness NetTalk employs a system which translates these "real values" into temporary (session based) random values. Using this approach users are not able to guess "other correct values" and are not able to re-use the link in another session, or after the current session expires.

A discussion of this approach, and how to pass parameters safely, is described here;
https://www.capesoft.com/docs/NetTalk11/NetTalkWebFAQ.htm#W4

Of course with this the URL is still visible, just meaningless to the user, and can't be abused. Even if we make the URL invisible though, you still want to use this approach because this is not the only place this value is visible. It may be the most obvious place, but simply moving the problem somewhere else is not helpful. So first correct this, then if we need to we can look at removing it from the URL.

cheers
Bruce

[seanh]

Hi Bruce

I suspect you are using an auto-numbered value in Medal right? So by exposing the number you are actually exposing all the other medals as well - because I can try ?Medal=6284, ?Medal=6285 and so on.

Actually I suspect something like that. They've been using allocating numbers for decades I have no idea how.  My app is read only and a small cog in the entire system. 

To avoid all this unpleasantness NetTalk employs a system which translates these "real values" into temporary (session based) random values. Using this approach users are not able to guess "other correct values" and are not able to re-use the link in another session, or after the current session expires.

A discussion of this approach, and how to pass parameters safely, is described here;
https://www.capesoft.com/docs/NetTalk11/NetTalkWebFAQ.htm#W4

I'm not sure if this will help me.  I've gone looking for the docs on the .AddBrowseValue method but I can't find them, I keep going around in circles.  On you website Could you please put a link to the method reference in an easy to find place please

I don't think it was really clear, but I only provide browses, the parameters are effectively filters for those.  What you suggest is, I think, what I'm after. but I'm still not sure how to go about it.

[Jane]

Hey, Sean, I haven't watched them but the show notes for webinars 128 and 129 appear to have some discussion of that method:  https://www.capesoft.com/accessories/NetTalkUserGroup.htm

Cheers,

Jane

[Bruce]

>> On you website Could you please put a link to the method reference in an easy to find place please

There is no method reference for the web server - the code itself is the best reference

>> I'm not sure if this will help me. 

yeah it will - but perhaps let's take a step back.

>> Current url from a menu:
>> http://localhost:8888/searchMEDAL_Info?Medal=6283&btype=roster

So I'm guessing you have a menu item set so the procedure is searchMEDAL_Info and the parameters are set to
Medal=6283&btype=roster

So my question becomes;
Where does Medal=6283 come from? I'm guessing it's not hard-coded?

cheers
Bruce
 

[DonRidley]

Hey Sean,

Hope all is well with you!!

p_web.AddBrowseValue() will definitely be your friend!  It obfuscates those URL values and provide a level of protection against those with bad intentions.

If you have a browse of this data somewhere, you probably aready have an example of p_web.AddBrowseValue() floating aroung in there.  ;-)

There are other ways to pass data in a request but, regardless, you wouldn't want your key values to be free and clear in the wild so to speak.

Shoot me an email if you need to and I'll help in any way I can.

Don

[seanh]

Bruce:

There is no method reference for the web server - the code itself is the best reference

Debatable Code can take a while to translate into what it's doing. A short paragraph is easier to read

So I'm guessing you have a menu item set so the procedure is searchMEDAL_Info and the parameters are set to
Medal=6283&btype=roster
So my question becomes;
Where does Medal=6283 come from? I'm guessing it's not hard-coded?

Actually from the menu Yes it's hard coded the menu parameter is actually: 'Medal=Me&btype=roster'  Initially it's actually set to medal=Me.  Which is a stored value from logon.  Other places it comes from a browse. 
 All the values I use come from MS MSQL stored procedures, the parameters, along with some session values, are used as parameters to the Stored procedures the results of which I load into a memory table for browsing.

So I don't want to retrieve a row from a file, being a memory table it's gone, I need the parameter values to plug into the SPs

AddBrowseValue() seems to setup and save a file position and fields based on a key, and GetBrowseValue() seems to retreive it,  but thats not really what I have.
I'll continue to look and play however.

Don
Thanks for the offer. I night take you up on that

[seanh]

I've made some progress. (would have been faster with documentation dig dig)

I created a dummy table to use to do the parameters and I changed the menu params to: 'px=' & p_web.AddBrowseValue('searchMEDAL_Info','DummyParam',par:pk,'Me',' ','roster')
In searchMEDAL_Info I've got
IF p_web.GetBrowseValue(p_web.GetValue('px'))
    p_web.SSV('showbrowse', p_web.GetValue('par:button'))
    p_web.SetValue('Medal',p_web.GetValue('par:medal'))
END
Which works great!   The first time. 
The next time I click the menu item I get nothing. The return from GetBrowseValue() is False

So any additional pointers would help

[Bruce]

Hi Sean,

>> Debatable Code can take a while to translate into what it's doing. A short paragraph is easier to read

true. And I've certainly documented my fair share of classes . But in this case the doc doesn't exist so the code is the best available reference.

>> The next time I click the menu item I get nothing. The return from GetBrowseValue() is False

I think it's getting to the place where you might need to make an example.

also - I'm not convinced about your starting position - if the value is "me" why are you passing it at all? surely it could just be a session value?
What if you re-architected this so you don't pass the parameter at all - since it's fixed to the user it should be server-side methinks...

cheers
Bruce

[seanh]

Hi Bruce

>>I think it's getting to the place where you might need to make an example.

More than happy to send it to you privately. It's a fairly small app.

>>also - I'm not convinced about your starting position - if the value is "me" why are you passing it at all? surely it could just be a session value?
>>What if you re-architected this so you don't pass the parameter at all - since it's fixed to the user it should be server-side methinks...

I currently set session values for most things, but I use the same procedures to view different persons rosters. If I want to now get back to me, how do I do that? Using session vales it's just the last person.

[seanh]

Actually I was beginning to wonder if I was over thinking the problem. And I was. 
The problem was to change the url to avoid possible abuse. Set/GetBrowseValue() was suggested. which I had trouble with. 

However when I stopped and re-examined the web site, it was really only the menu items that had a problem, everywhere is already using the appropriate code, and I finally realised that the obscure bit didn't need to be dynamic or weird, just unable to be abused by changing stuff in the url. 

So I changed the menu item to pass 'px=HomeRoster' and I evaluate that and set stuff.   Works like a charm

Thanks all