You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Michael Nachbaur <MN...@rei.com> on 2000/09/15 16:32:45 UTC
RE: [Cocoon Users] Off topic but imho important
Well, you'll have this exact same problem if you use Perl CGI/mod_perl, or even bourne shell to handle your webpages. The user can *ask* anything of the server they want to. Its your task as a responsible web developer (you are, aren't you? ;) to verify that the person who is requesting that page is authorized to do so.
So, having the userid they're logged in as in some server-side state storage which is used to cross-reference all their requests is a must. Now, I'm a newbie to Cocoon, but this is what I do with my mod_perl based website (using the Apache::Session module). The concept is similar, as long as you don't store any information in the user's cookie besides some sort of GUID.
--man
Michael A. Nachbaur (KE6WIA)
mike(at)nachbaur(dot)com
http://www.nachbaur.com
"Don't try to outweird me, three-eyes. I get stranger things than you
free with my breakfast cereal." -- Zaphod Beeblebrox
-----Original Message-----
From: Michael Bierenfeld [mailto:michael.bierenfeld@atmiralis.de]
Sent: Friday, September 15, 2000 6:06 AM
To: Cocoon User Mailing List
Subject: [Cocoon Users] Off topic but imho important
Hello out there,
I am having the following Problem. We are
currently developing a website where security is
very important. Guess the following situation.
XML - content :
<link
target="http://www.some.site/display_user.xml?id=110">display</link>
transferred to HTML-content
<a
href="http://www.some.site/display_user.xml?id=110">display</a>
The problem is that if the Browser display the
Page coming from Database. No one protects the
application from typing in the LOCATION-BAR :
http://www.some.site/display_user.xml?id=4711
=> user 110 is able to see the vital data from
user 4711. <= IMPOSSIBLE !!!!!
Is there a way to hide the parameters in the
location bar. JavaScript is fine or maybe there is
a apache-setting. In the response Header or so. I
could imagine several ways :
- Using a sessionid and store the values in some
sort of HashTable
- Crypt the parametersvalues and send it together
with a funny hashcode to avoid hits by accident
Sorry for beeing OT.
Kind regards
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org
_______________________________________________
cocoon-users mailing list
cocoon-users@lists.real-time.com
https://mailman.real-time.com/mailman/listinfo/cocoon-users