MachForm Community Forums Topic: login per url https://www.machform.com/forums/ MachForm Community Forums Topic: login per url en Wed, 06 May 2026 13:05:10 +0000 ventilator on "login per url" https://www.machform.com/forums/topic/login-per-url#post-7606 Thu, 08 Oct 2009 02:29:34 +0000 ventilator 7606@https://www.machform.com/forums/ <p>It is a security problem to attach your usernames and passwords to a URL even on an intranet.</p> <p>Think about it:</p> <p>Unless you turn off the referral function of the client's browser, if they navigate away from your intranet page the URL and the login data will be in the log of the external web servers they go to because the login data is at the end of the URL.</p> <p>In short, should those user credentials match any other credentials, a third party now has your passwords and usernames with a single click of a button by your users who will very likely be blissfully unaware of what they just did.</p> <p>There is a common trick used by people that make money off of referral links called double meta refresh. The goal being to push you to another, completely neutral page and URL and then if you're browser reflects that new clean URL refer you to the destination page. This is used to break the referral process and obscure the destination page from seeing too much information about the last page the user came from.</p> <p>Something similar can be done with a neutral exit page or Javascript. You use JavaScript to force them to exit via that page. Even if you call to the page with arguments in the URL, you detect that with JavaScript and do not allow them to exit until they load the page with a URL that contains no additional data or you simply push them to the neutral exit page whether they like it or not.</p> <p>You can also obscure this data like the default install of MachForms does. Basically if you look at the URLs used in the system, very little data of any obvious intent is transmitted in the URLs. You could roll your own login system that transmits the more personal data by referencing unique numeric IDs or cookies and linking to data in a MySQL database.</p> <p>Be careful with cookies, although they should be protected from prying eyes, there are plenty of ways I can read the cookies you set even though I should not be able to.</p> <p>Another option which can add even more security is to require your users to use a specific separate web browser to access your intranet. There are versions of FireFox that are designed to be self contained. These versions are usually used with flash storage but they basically stand alone as programs.</p> <p>You would install the browser.<br /> Set it up with the security settings you like (about:config), etc.<br /> Install whatever certificates or authorities you may want.<br /> Make the home page of the browser your intranet's top page.<br /> Copy the browser install directory (natively or compressed) to your server.<br /> Distribute the browser with a script, or manually.<br /> Put a link on their desktop to start this separate browser with a script, or manually.<br /> Rig your intranet to deny access unless this internal browser is used.</p> <p>This last option offers lots of options. You can be sure JavaScript is on like that. You can be absolutely sure of the browser they are using like that. You can be sure they aren't transmitting referral information and you can turn that feature off without breaking other sites that often do require it. You can even control the version of the program they are using. If you're handy with Javascript or XUL you can even disable the standard interface for the additional browser and make it look like a stand alone application with whatever controls you like. </p> Robye on "login per url" https://www.machform.com/forums/topic/login-per-url#post-7601 Wed, 07 Oct 2009 16:39:47 +0000 Robye 7601@https://www.machform.com/forums/ <p>yes , probably its true because leave "unprotected" just the export_entries.php file </p> redityo on "login per url" https://www.machform.com/forums/topic/login-per-url#post-7598 Wed, 07 Oct 2009 16:19:11 +0000 redityo 7598@https://www.machform.com/forums/ <p>Hi,</p> <p>If you need to export an excel/csv file without login to machform admin, you can by pass the session check. To do so, simple remove this line from "export_entries.php" file.</p> <pre><code>require(&#39;includes/check-session.php&#39;);</code></pre> <p>I think it's better for your security reason </p> Robye on "login per url" https://www.machform.com/forums/topic/login-per-url#post-7597 Wed, 07 Oct 2009 15:51:44 +0000 Robye 7597@https://www.machform.com/forums/ <p>and what about reach via URL the export_entries.php</p> <p>im trying to give direct access via URL, esemple:</p> <p><a href="http://mysite.com/machform/export_entries.php?id=4&#38;type=csv&#38;admin_username=123&#38;admin_password=123" rel="nofollow">http://mysite.com/machform/export_entries.php?id=4&#38;type=csv&#38;admin_username=123&#38;admin_password=123</a></p> <p>its possible do that? </p> sonic on "login per url" https://www.machform.com/forums/topic/login-per-url#post-2839 Wed, 03 Sep 2008 21:44:49 +0000 sonic 2839@https://www.machform.com/forums/ <p>Hi</p> <p>I have tried it and it works fine.<br /> Thanks </p> redityo on "login per url" https://www.machform.com/forums/topic/login-per-url#post-2797 Fri, 29 Aug 2008 20:35:46 +0000 redityo 2797@https://www.machform.com/forums/ <p>I see .. You can edit your index.php on machform folder and add this line around line 11 below session_start() code :</p> <pre><code>$_POST=$_GET;</code></pre> <p>after that you can call your machform login using this url</p> <p><a href="http://host.com/machform/index.php?admin_username=admin&#38;admin_password=admin&#38;submit=1" rel="nofollow">http://host.com/machform/index.php?admin_username=admin&#38;admin_password=admin&#38;submit=1</a> </p> sonic on "login per url" https://www.machform.com/forums/topic/login-per-url#post-2793 Fri, 29 Aug 2008 17:06:46 +0000 sonic 2793@https://www.machform.com/forums/ <p>Hi</p> <p>I would like an automatic access without login procedure. The security reason is no problem, we use this form in an intranet. </p> redityo on "login per url" https://www.machform.com/forums/topic/login-per-url#post-2770 Thu, 28 Aug 2008 07:47:58 +0000 redityo 2770@https://www.machform.com/forums/ <p>Hi ..</p> <p>For security reason I think it's not possible to parse the login data from url :) anyway may I know why do you want to do that ? </p> sonic on "login per url" https://www.machform.com/forums/topic/login-per-url#post-2769 Thu, 28 Aug 2008 05:58:49 +0000 sonic 2769@https://www.machform.com/forums/ <p>Hi<br /> Is it possible to send the login data via URL?<br /> I have tried this here:</p> <p><a href="http://yoururl.com/machform/index.php?ADMIN_USER=admin&#38;ADMIN_PASSWORD=12345" rel="nofollow">http://yoururl.com/machform/index.php?ADMIN_USER=admin&#38;ADMIN_PASSWORD=12345</a></p> <p>Unfortunately it will not work.</p> <p>Regards<br /> Sonic </p>