How to avoid users changing values of hidden fields using the URL?

[Anton Pussep <an...@pussep.de>]

Hello,

I am not sure how to deal with the problem that a user can pass own
parameter values to the action class by changing the URL if there are
setters provided.

For example I often have a hidden field in a form that stores the ID and
the action class provides a getter and a setter. But the user can change
the ID by modifying the URL (just adding "?id=42"). The problem is that
this way he might access IDs that are not meant to be seen by him, they
might belong to other users.

I cannot see a good solution for that. A permission system just to check
if the user is allowed to see this ID seems to be quite an overhead to
me. Whereas storing the ID in the session is not very handy and I have
to take care that they are removed safely.

I am pretty sure that there is a good solution for that, I would be very
grateful for any hints!

Best,
Anton

Re: How to avoid users changing values of hidden fields using the URL?

[Anton Pussep <an...@pussep.de>]

Thanks Jeff and Gorka for the competent (and fast) replies!

> if you are using Struts there is a transparent solution
> for that: HDIV

It sound very interesting. I will sure have a closer look at it. Thanks
for the great reference!

> The rule of web applications (heck...all multi-tiered apps) is to
> NEVER EVER trust information sent by the client.

Yes, I think it is very true and this will be my policy in future.

Many thanks,
Anton

Re: How to avoid users changing values of hidden fields using the URL?

[Jeff Amiel <je...@gmail.com>]

On 6/28/07, Anton Pussep <an...@pussep.de> wrote:

> I cannot see a good solution for that. A permission system just to check
> if the user is allowed to see this ID seems to be quite an overhead to
> me. Whereas storing the ID in the session is not very handy and I have
> to take care that they are removed safely.

The rule of web applications (heck...all multi-tiered apps) is to
NEVER EVER trust information sent by the client.
If a user needs to have access to a particular ID, you need to check
on every request....or store his 'privileges' in the session and check
there.  (session should timeout after period of inactivity and/or be
refreshed with new privilege data when it changes)

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org