Detecting URL's before page change - JavaScript and AJAX forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Detecting URL's before page change

A hopefully simple question

Arthalion

8:27 pm on Feb 18, 2004 (gmt 0)

10+ Year Member

I'm putting a website together with a large secured area that plants a session ID cookie (non-sequential MD5 hash to make spoofing difficult) to match the user with server side sessions. Because we have users accessing the system from shared computers, security is paramount. Despite this, I've received a directive to add links to unsecured content within the secured area, creating a potential security problem...if a user leaves the secured area and then walks away from the computer prior to the 15 minute idle session timeout, someone else could potentially sit down, enter the secured area using the existing session ID, and access the previous users financial information or grades.

The solution selected seemed to be a simple one: Throw an alert whenever the user leaves the secured area informing them that they need to remember to logout before leaving the computer. I also wanted to give them the option to cancel their decision to leave the page.

So: If I use the window.onunload event handler, I can detect their login status by checking for the existence of the ID cookie, but how do I determine the URL that they've requested to determine whether they're exiting the system or simply moving between the secured system pages? Is there a way in Javascript to determine where someone is going when they try to leave your page (this should also detect URL's hand entered into the address bar).

If the user hits the cancel button on my window.confirm prompt, is there a way that I can STOP the page change event to keep them from proceeding out of the system?

DrDoc

9:09 pm on Feb 18, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Welcome to Webmaster World!

Even IF you do all this... What if they type in a different URL in the browser's address bar? Even though you could (potentially) interrupt that as well... you wouldn't have any control over the page they were trying to access. And, what if they turn JavaScript off?

Personally I would drop the idea of intercepting those kind of clicks and make sure they know all this before logging in. You can inform the user that they must log out, or at least close the browser window, if leaving the computer unattended. If someone hijacks their session, it's their fault for leaving it open.

Arthalion

9:46 pm on Feb 18, 2004 (gmt 0)

10+ Year Member

Well, we're legally required to do our "due diligence" to make sure that security problems like this are minimized. This particular web application will end up being heavily used by over 30,000 students at a large California college and security breaches will not only divulge protected personal information, but give a potential attacker access to someone elses personal files, allow them to add or drop classes for a student, etc. It is VERY important that we warn a student if they attempt to leave our secured systems without logging out.

This has always been a minor issue with us, but it's an even bigger one now that we have links INSIDE the secured system that will take the student out of it. A student looking at a loan application who clicks a link to view loan descriptions may not even be aware that they are leaving the secured system if we don't offer this warning, and the insecure pages don't have any links or features that would allow the user to clear their session/logout. If the student doesn't realize that they've left the secure system, they may not even realize that their security is at risk.

This is why detecting their departure and alerting them is so important. I don't need to control the page they're going to, I just need to give them the message as they leave.

DrDoc

11:05 pm on Feb 18, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I wouldn't call JavaScript a "security measure".
I don't think the students are stupid... so giving them guidelines they have to follow (such as closing the browser or logging out) seems perfectly reasonable. That's all you should have to do.

If they post their username and password on a bulletin board, how are you going to ensure that it's the actual student logging in and not someone else?
Or what if they leave the computer logged on... even if they didn't browse away, how is that going to be protected?

You can impossible protect some of the most basic security problems that are always inherent in any password controlled system. Even attempting to protect the less obvious areas will give the students a false sense of security.

Log in -- do your stuff -- log out/close browser.
That shouldn't be hard to do... If they can't do that, then they shouldn't have access to the system online at all (IMO).

As far as "warning the student" goes... a sign on top of each monitor should be enough, and probably work a lot better :)
On top of that, open all external pages in new windows...