Re: Encrypted URL

[gcb33 () dial pipex com]

Encrypting URL adds another layer of security to web apps, we use it in banking 
applications , as the application uses URL rewrites it was easy to add on top. 
The entire URL is encryped, with a random key for each page requested. We don't 
use GET as it is all POST's Data submitted by the user.

This solves:-

Retry sessions: If the use was able to copy a past a previous URL into another 
browser will not work the key has been lost and the session will be killed 
automatically. Back button same again or Ctrl-N refresh. Second it stops alot 
of process flow jumping within the site ie. in Brokeage Buy, Order , Sell, and 
the same with Corporate banking systems.

It also hides the path that pages are on all you see is one long encrypted URL,
and makes it harder for the person to guess what Application server you are 
running on with.

We have two keys in this approach. One key is used to do the URL Rewrites seed 
from the web server themselves. Another key is created randonmly per page for 
each user request which is mapped into the session state database on 
application server,

Please note this approach we can turn on or off for testing to make sure that 
the application server can still handle the session state of the user within 
the site without relying on the 2nd key.

James


--