[TYPO3-english] Howto protect an eID url?

Stephan Schuler Stephan.Schuler at netlogix.de
Fri Feb 15 14:43:20 CET 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey there.


> That protects your eID
No, it does not.

Who attacks? Is it the person using his browser to visit your website? He surfs your website, fetches some ajax data and tries to retrieve other data then you want to give him?
Then: No. Using HTTP/POST to transfer the name of the eID script does NOT give you any security. I just open my firebug and see which network traffic is going on. There it is: The name of the eID.

Is it some man in the middle? He fetches the whole network stream as well. And there it is: The name of the eID.

Is it somebody else that uses your website but does not have a nice GUI to access the eID? Then he might fetch your java script code. Done.

Just making the name of the eID script unguessable and use POST to call the server does not provide any security.
The only thing you reach by using POST is: The name of the eID script is no longer part of the apache access log. But since this is *your* server, you're not hiding any information from anybody else then you. Nice one!

As soon as the only authentication secret is your eID script name which is part of your websites output (doesn't matter if it's part of the HTML or inside of a java script file) you're exposing your password. Which means: You do not keep your secret secret. You get my point?


There is only one solution: Provide access tokens by login and do the privilege check based on this token right inside of your eID code.
The eID can access the fe_user.
If you have data that should only be visible for logged in users: Only provide them if there I an fe_user.
If you have data that should only be visible for a certain fe_user group: Check the current fe_users groups and provide the data only if the group matches.
If you have data that should only be visible for a very specific fe_user: ... you name it.

If you have web services that cannot use your TYPO3 fe login form: Use either an authentication service that allows HTTP Basic Auth or something. Or do it your own right inside of your eID.

Another option could be some .htaccess rules that simply force authentication for "?eID=youreidkey". As long as it is only one or a couple of users for the web service, that's probably the easiest way to secure your eID.


Kind regards,



Stephan Schuler
Web-Entwickler

Telefon: +49 (911) 539909 - 0
E-Mail: Stephan.Schuler at netlogix.de
Website: media.netlogix.de


- --
netlogix GmbH & Co. KG
IT-Services | IT-Training | Media
Andernacher Straße 53 | 90411 Nürnberg
Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
E-Mail: info at netlogix.de | Internet: http://www.netlogix.de

netlogix GmbH & Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA 13338)
Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB 20634)
Umsatzsteuer-Identifikationsnummer: DE 233472254
Geschäftsführer: Stefan Buchta, Matthias Schmidt



- -----Ursprüngliche Nachricht-----
Von: typo3-english-bounces at lists.typo3.org [mailto:typo3-english-bounces at lists.typo3.org] Im Auftrag von Christian Platt
Gesendet: Freitag, 15. Februar 2013 12:30
An: TYPO3 English
Betreff: Re: [TYPO3-english] Howto protect an eID url?



Why not start with the follwoing lines:

if (!defined ('PATH_typo3conf')) die ('Could not access this script directly!');

in js you just acess index.php

 $.ajax({
        url: baseURL+"index.php",               // watch for  RealURL!
        type: "post",                    // Typ3 of posting
        data: {
                eID: "name of my_eID",       //the id



That protects your eID
Christian



Am 14.02.2013 um 15:53 schrieb bernd wilke:

> Am 14.02.2013 11:56, schrieb Rik Willems:
>> Hi all,
>>
>> Through javascript I want to call an eID script that collects some
>> data through a webservice. I don't want others to be able to harvest
>> the eID/webservice data, so I need to protect it in some way.
>>
>> Who can point me in the right direction? What is the best way to
>> protect eID calls in combination with javascript?
>>
> as all alghorithm you implement only in JS can be reused you need a key from your server in your JS, which changes by an unknown algorithm and which allows only a restricted number of requests.
>
> something like:
> a JS-variabel is set with a coded timestamp, which has to be provided in the eID-call as parameter and which will give results in a time interval of 1 hour ?
>
> it is the same than forms which must be protected against spam submits.
>
> the used algorithms are:
> captcha,
> IP white-/blacklists,
> hidden (and coded) values (cookies and/or undisplayed input-fields) containing timestamps, referer, chashs to data stored on the server.
>
> with algorithms which check time-intervals, IP, requests per time from
> unique IP, referer, empty and filled input-fields (input fields with
> "display:none" should not contain values, ...)
>
> and all of these methods may filter some misuse and also filter some valid usage.
>
> bernd
> --
> http://www.pi-phi.de/cheatsheet.html
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english

_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 8741)
Charset: utf-8

wpUDBQFRHjt5pp0IwsibV8MBCF2wA/sEClj7CQxe7BuJ+N6+NhGUnXRyhlm9wofH
eUXv40fMx5QTIs6LEr9tIH/5+XQzCwtR+WLIYIstX35UTk/YGZXlgUqeWOyO4w2J
T2xBmkX6VgmeKmRqQOqTuBXv6KVFPuBgSfHGQz4OIz43zgZGlSxMnC60xHHpzKM5
FKBZoI1DVQ==
=saFV
-----END PGP SIGNATURE-----

More information about the TYPO3-english mailing list