0

I've made a webform on my own domain, outside the domain of my company. The form is made for employees of the company. When an employee wants to get to the form he has to login to the company website and click on a link. In this manner the employee doesn't need a special login for the form but he can use the standard company login. In the .htaccess on the server of the webform I check the HTTP_REFER. When the refer is correct access is granted and a cookie is set. When the employee accesses the form again he can go directly because he has a cookie.

    <If "%{HTTP_REFERER} == 'https://sites.google.com/a/company/form'">
    Header append Set-Cookie "verified_user=yes;path=/;Secure;HttpOnly;Expires=Wed, Jan 01 2020 2:02:02 GMT"
    </If>
    <Elseif "%{HTTP_COOKIE} != 'verified_user=yes'">
       Redirect https://sites.google.com/a/company/form
    </Elseif>

How secure is this ?

ArtDijk
  • 101
  • 1
    Not at all. The http_referer can be spoofed, or not even there at all. Also, it won't be sent when going from https to http or http to https. Better would be to send some GET arguments taht include some string, and a hashed version of the string that has been salted with a known/shared value that ISNT visible (ie, all server side code to generate link, etc) – ivanivan Oct 05 '17 at 12:28
  • The URL on the company google site so I've (as far as I know) no other options that just put the URL on a page they may available to me. Is your suggestion still possible given this limitations? – ArtDijk Oct 05 '17 at 15:47

0 Answers0