How to prevent users from accessing a web application from a locally saved Html login page?

Question

I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.

This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.

Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:

if (top.location.protocol == 'file:') {
    alert('This application is not designed to be accessed from a desktop copy...')
}

But this will only warn users that have saved the desktop copy since I have added this piece of javascript.

Has anyone else had this problem and come up with clever solutions that they'd like to share?

Thanks

Update:

In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.

If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).

Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.

Answer 1

I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.

Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?

Answer 2

Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.

Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.