When sharing a link I've noticed that linkedIn appends a '#!' to the end of the URL after redirecting. This is breaking my Backbone.js single-page app since we use pushstate in the URL, and so the '!' is interpreted as a Backbone.js route.
Here is an example link (not my site). It will take you to:
http://blog.mindresearch.net/blog/bid/336633/The-Connection-Between-Math-and-Neuroscience#!
I know I can filter this on the server-side, or deal with it on the client-side in numerous ways, but it just seems strange, and I saw no posts online about this topic, so thought I'd post a question asking what it is, and whether there is a way to get rid of it?
Of course, I'll also email LinkedIn support, but thought this could be useful to anyone else running into the same problem.
AFAIK anything after the hash is not sent to the server; I use a simple client-side script to redirect those URLs. A naive redirect, but it works. I don't see any way of preventing it from occurring, unless LinkedIn and Facebook change their outgoing redirect policy.
<script>
if( window.location.hash == '#!' ) {
window.location.href = 'http://domain.tld/';
}
</script>
Sure it only works for JavaScript enabled clients, but then again in my experience those hashbang URLs only break those clients in the first place.
Related
Some websites like Facebook and Ask FM use #_=_ at the end of an URL to an external website. Why?
If two large websites are doing so, surely it must mean something?
The problem is after authenticating with Facebook. The base path becomes a hash which eventually breaks the navigation.
I think this is because of facebook passing the url with some hash key. Because with or without passing redirection url facebook passing this to avoid vulnerability of attacks.
From https://developers.facebook.com/blog/post/552/, change in Session Redirect Behavior:
This week, we started adding a fragment #= to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.
A solution is simply removing the hash as stated here then everything seems back to normal:
Facebook Callback appends '#_=_' to Return URL
I am working on Asp.Net MVC 5. When i click a link (placed in another website) I navigate to UserDetails.cshtml page. Basically that 3rd party site is passing the UserName & Password to my site & using that I authorize & display further user info.
It's fine but the Url is looking like this
localhost:8080//Admin/UserDetails/UserName/PWD.
I don't want to show the UserName & Password in URL i.e URL should look something like :
localhost:8080//Admin/UserDetails/
One possible solution could be rewrite the URL in IIS (http://www.hanselman.com/blog/ASPNETMVCAndTheNewIIS7RewriteModule.aspx)
But I believe there is an easier way to handle this by using the routing mechanism of MVC.
Please help me to figure out the same.
EDIT :
As many of you are confused why I am not doing a Form Post here, let me re-frame my question. I have no control over the third party application, so I cant request them to do a form Post to my MVC application. Again the 3rd party application is a Oracle Reporting application (OBI), so doing a POST from that application might not be feasible too...
Let me reverse engineer your requirements from your question:
I want to have an URI that when invoked will give access to a secured section of my website. This URI must be clicked by visitors of a third-party site, whom I give that URI to. I want to hide the credentials from the URI.
You cannot do this, the requirements are conflicting. You cannot hand out URIs that will authenticate anyone who fires a request to that URI.
You could do something with a token (like http://your-site/auth/$token), but then still, anyone with access to that URI can use it to authenticate themselves, or simply put it up on their own website.
If you have data you want to expose to a third-party site, let that site perform an HTTP request (with tokens, usernames, headers or whatever you want to use to authenticate) in the background to your site, and display the response in their site. Then the visitor won't see that traffic, can't share the URI and all will be secure.
No. No. NO. Like seriously, NO. Any sensitive information should be sent via a post body over a secure connection (HTTPS). You can't "hide" information in a GET request, because it's all part of the URI, or the location of a particular resource. If you remove a portion, it's an entirely different location.
UPDATE
I find it extremely hard to believe that any third-party application that needs to authenticate via HTTP and isn't designed by a chimp with a typewriter, wouldn't support a secure method to do so, especially if it's an Oracle application. I'm not familiar with this particular app, but, and no offense meant here, but I would more easily believe that you've missed something in the documentation or simply haven't found the right way to do it yet before I'd believe you have to send clear-text credentials over GET.
Regardless, as I said previously, there's no way to hide information in a GET request. All data in a GET is part of the URL, and therefore is plainly visible in the browser location bar or whatever. Unfortunately, I have no advice for you other than to look closer at the documentation, even reach out to Oracle if you have to. Whether by post or something like OAuth, there almost has to be another way.
I am trying to figure out a way to post a tweet via just JavaScript to twitter for a personal project of mine. It won't be publicly accessible, so I'm not worried about security, which is normally something you have to worry a lot about with OAuth through JS.
Essentially I want to: redirect to twitter OAuth login -> accept -> redirect back to my own page -> tweet/do something.
I have been looking forever, and I can't seem to find a way to do this (I can't find any good JavaScript OAuth libraries either). I wouldn't have imagined it would be this difficult.
Any recommendations/solutions?
I have a (Rails) site and I want the search engines to crawl and index it. However, I also have some actions that I want to log as having happened - and these actions can be triggered by logged in users as well as users not logged in. Now, to ensure that the count for non-logged in ie anonymous users doesn't include bot traffic I am considering a few options and am looking for guidance on which way to go:
Set a cookie for all users, if this cookie doesn't come back since Bots usually dont accept or send back cookies, I can distinguish bots from anonymous humans.
Check the header and see if the agent is a bot (some whitelist): How to recognize bots with php?
Set that action to be a POST rather than a GET. Bots issue GETs so they don't get counted.
Any other approaches?
I am sure folks have had to do this before so what's the 'canonical' way to solve this?
If you don't want the spiders to follow the links, then you can use rel="nofollow" on them. However, since there might be other links pointing into the pages, you will probably also want to look at the User-Agent header. In my experience, the most common User-Agent headers are:
Google: Googlebot/2.1 ( http://www.googlebot.com/bot.html)
Google Image: Googlebot-Image/1.0 ( http://www.googlebot.com/bot.html)
MSN Live: msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
Yahoo: Mozilla/5.0 (compatible; Yahoo! Slurp;)
Just check the User-Agent header, that might be enough for your purposes. Note that a user agent can just pose as Google bot. So if you want to be sure more checking is needed. But I don't think you'd need to bother further than this.
Need to submit some CC data from the View to the Controller where it will be processed, can I just POST it or is there some common way of securing the data in transit?
Post the data using SSL.
Here's a good resource on setting up SSL with IIS and ASP.NET.
Posting with SSL like Rex M mentioned is definitely the first step. You should probably make the page where they are typing their credit card number SSL as well. This will give your users the green URL of comfort.
You should also include protection against CSRF attacks. Use the anti-forgery token.
Also, you should use the PRG (Post, Redirect, Get) pattern to make sure that the credit card numbers aren't submitted twice. After the post, don't just render a different view, send a redirect so their browser does a GET against another URL - probably your confirmation page.
You'll run into a few ASP.NET MVC specific things:
If you have some http pages and some https pages, how will you code the links to the https pages from the http pages. You can hard code them, but you'll have to hard code the domain and protocol. You can't just use <%= Html.ActionLink(... see this SO question for more details.
You'll want to make sure you can't hit your controllers when you are not using SSL. This will help you catch any errors, and ensure that no one uses http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo
I haven't read about the implementation of the ASP.net-MVC. However, i believe that you have mixed up the terminology.
The MVC Pattern would be evaluated on the server end. [So there is little need to do security checks between the components (unless they are exposed outside the program)]
I believe that many people get the impression that you are talking about HTTP POSTS after a form submission (as opposed to HTTP GETs)