You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Jason Pyeron <jp...@pdinc.us> on 2011/07/29 00:16:30 UTC
RE: [struts-user] How to encrypt the url?
> -----Original Message-----
> From: log2akshat [mailto:akshat-pg8@iiitmk.ac.in]
> Sent: Thursday, July 28, 2011 18:01
> To: user@struts.apache.org
> Subject: [struts-user] How to encrypt the url?
>
> How can I encrypt parameters used in a URL. I cannot use POST
> in these cases.
Firstly, encryption is not a struts specific issue.
>
> I am working on a login application using session, where user
> passes his registration ID & password to login. And after
Ok, what is wrong with a session?
> login there are various features like user can view his
> profile, update his profile etc. But my problem is that when
> in the menu if I am passing the links of the action then it
Example?
> is logging out to the login screen, so I have to give links like
>
> http://localhost:8080/UNOT/User/ViewProfile.action?id=1&passwd
=643def90&app_login=Login
>
> So, is there any way to encrypt the url?
Bad idea. But yes, and it is not a struts issue. So I will ask why can't you use
a session?
>
> --
> View this message in context:
> http://struts.1045723.n5.nabble.com/How-to-encrypt-the-url-tp4
644406p4644406.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts-user] How to encrypt the url?
Posted by Maurizio Cucchiara <mc...@apache.org>.
If your only requirement is that you can pass parameter only via get,
take into consideration that you can recovery the session content
through the jsessionid get parameter.
>You should sha/md5 your password before sending it. This of course is
>client side and you could do that with javascript. You could use this:
> http://www.bichlmeier.info/sha256.html
> Anyway, people might be able to snif this encrypted password and use
> the encrypted version to login.
I have been using a similar approach in an iPad application (where the
client side provides something more than the simple javascript), in
order to mitigate this kind of risk I chose to send a time based,
salted hash, according with the challenge response authentication
schema [1]
I think this is a way to complicate your life, and you should do that
only if it is strictly necessary (in my case the requirement was to
remember the user authentication)
[1] http://en.wikipedia.org/wiki/Challenge-response_authentication
--
Maurizio Cucchiara
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts-user] How to encrypt the url?
Posted by Christian Grobmeier <gr...@gmail.com>.
>> is logging out to the login screen, so I have to give links like
>>
>> http://localhost:8080/UNOT/User/ViewProfile.action?id=1&passwd
> =643def90&app_login=Login
>>
>> So, is there any way to encrypt the url?
>
> Bad idea. But yes, and it is not a struts issue. So I will ask why can't you use
> a session?
I would like to second that this is a bad idea.
You should sha/md5 your password before sending it. This of course is
client side and you could do that with javascript. You could use this:
http://www.bichlmeier.info/sha256.html
Anyway, people might be able to snif this encrypted password and use
the encrypted version to login. The only benefit is they do not own
the clear password, which might be used for other apps as email.
Therefore you should go to https://
>
>
>>
>> --
>> View this message in context:
>> http://struts.1045723.n5.nabble.com/How-to-encrypt-the-url-tp4
> 644406p4644406.html
>> Sent from the Struts - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
>
>
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> - -
> - Jason Pyeron PD Inc. http://www.pdinc.us -
> - Principal Consultant 10 West 24th Street #100 -
> - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
> - -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
http://www.grobmeier.de
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org