To stop session sharing i used code
<sessionState mode=”InProc” cookieless=”UseUri”></sessionState>
This is working fine although i am getting awkward URL but it is OK . The problem i am facing is :If user is already login to the application and if user directly copy and paste the URL in web browser to open the page, then user can open the page because user has got already an active session.
but requirement is to restrict copy and paste of URL to open the page. In such cases what we have to do?
i dont have .cs page as this is a old application we have.aspx page with javascript/VB script.
One more issue i got with <sessionState mode="InProc" cookieless="UseUri"> when login to the application and if user directly copy url and paste the URL in web browser to open the page after closing the first one (where we copied url) still user able to open page without login.
Example :http://XXX/YYY/(S(fxiejp3mncnt3wwob3ytkmbf))/Home/FrameSet.aspx
if i paste above URL after closing my opened window (where i copied this uRL) USER is able to open apllication. which is seems like bug .
PLEASE SUGGEST
Please suggest
To stop session sharing i used code
<sessionState mode=”InProc” cookieless=”UseUri”></sessionState>
This is working fine although i am getting awkward URL but it is OK . The problem i am facing is :If user is already login to the application and if user directly copy and paste the URL in web browser to open the page, then user can open the page because user has got already an active session.
but requirement is to restrict copy and paste of URL to open the page. In such cases what we have to do?
i dont have .cs page as this is a old application we have.aspx page with javascript/VB script.
One more issue i got with <sessionState mode="InProc" cookieless="UseUri"> when login to the application and if user directly copy url and paste the URL in web browser to open the page after closing the first one (where we copied url) still user able to open page without login.
Example :http://XXX/YYY/(S(fxiejp3mncnt3wwob3ytkmbf))/Home/FrameSet.aspx
if i paste above URL after closing my opened window (where i copied this uRL) USER is able to open apllication. which is seems like bug .
PLEASE SUGGEST
Please suggest
- 3 Why do you care if the user can open a page by pasting the url into the address bar once they are logged in? – Levi Botelho Commented Nov 21, 2012 at 17:52
- Write a custom browser and implement a secure way to authenticate that that browser is the client application. – Jodrell Commented Nov 21, 2012 at 17:53
- Have some sort of secure session ID which is stored in the url and session. On page load it checks if the two are the same and if so lets the user in. It then would reassign a new var and append it onto all urls. – Jonathan Commented Nov 21, 2012 at 18:01
- 1 You don't. Sure you can make some fancy JavaScript to disable copy pasting, but that is defeated quite easily by simply disabling JavaScript. Why not use cookies instead? – System Down Commented Nov 21, 2012 at 18:02
- 1 You cannot prevent the user from accessing a page by pasting the URL into the address bar. You are far better off eliminating the login id from the URL (if that is how it currently works). If you are using URL based auth, don't. You can't expect a website to take full control of a browser that is locally running on their machine... – Levi Botelho Commented Nov 21, 2012 at 18:08
3 Answers
Reset to default 2If you want to make sure that a user does not go directly to a page, you could look at the referer [sic] in the http header and make sure that it is set and the user navigated through your site to get to the page. If the referer is set to google, or not set, then the user went directly to the URL.
From a security standpoint, you should rely on some identifier in a cookie to store the session information and the cookie shouldn't contain any private or confidential information. If the session id in the cookie doesn't match what the server has for the session, the page should be rejected. (see http://www.truste./blog/2011/12/02/best-practices-for-using-cookies/ for some good tips on sessions)
can you use code like this to disable Copy Paste in your Html markup..?
<html>
<head>
</head>
<body oncopy="return false;" onpaste="return false;" oncut="return false;">
<form id="form1" runat="server">
<div>
Try to copy this and paste in your editor
</div>
</form>
</body>
</html>
Why not associate an IP address with the login session, so that another user cannot cut-and-paste URLs.
(Note that doesn't work if both users are behind the same NAT router, and may be problematic if users are on mobile devices that change IP addresses.)