You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Michael Nachbaur <MN...@rei.com> on 2000/09/15 16:32:45 UTC

RE: [Cocoon Users] Off topic but imho important

Well, you'll have this exact same problem if you use Perl CGI/mod_perl, or even bourne shell to handle your webpages.  The user can *ask* anything of the server they want to.  Its your task as a responsible web developer (you are, aren't you?  ;)  to verify that the person who is requesting that page is authorized to do so.

So, having the userid they're logged in as in some server-side state storage which is used to cross-reference all their requests is a must.  Now, I'm a newbie to Cocoon, but this is what I do with my mod_perl based website (using the Apache::Session module).  The concept is similar, as long as you don't store any information in the user's cookie besides some sort of GUID.

--man
Michael A. Nachbaur (KE6WIA)
mike(at)nachbaur(dot)com
http://www.nachbaur.com
"Don't try to outweird me, three-eyes.  I get stranger things than you
free with my breakfast cereal."  -- Zaphod Beeblebrox

-----Original Message-----
From: Michael Bierenfeld [mailto:michael.bierenfeld@atmiralis.de]
Sent: Friday, September 15, 2000 6:06 AM
To: Cocoon User Mailing List
Subject: [Cocoon Users] Off topic but imho important


Hello out there,

I am having the following Problem. We are
currently developing a website where security is
very important. Guess the following situation.

XML - content :

<link
target="http://www.some.site/display_user.xml?id=110">display</link>

transferred to HTML-content

<a
href="http://www.some.site/display_user.xml?id=110">display</a>

The problem is that if the Browser display the
Page coming from Database. No one protects the
application from typing in the LOCATION-BAR :
http://www.some.site/display_user.xml?id=4711

=> user 110 is able to see the vital data from
user 4711. <=        IMPOSSIBLE !!!!!

Is there a way to hide the parameters in the
location bar. JavaScript is fine or maybe there is
a apache-setting. In the response Header or so. I
could imagine several ways :

- Using a sessionid and store the values in some
sort of HashTable
- Crypt the parametersvalues and send it together
with a funny hashcode to avoid hits by accident

Sorry for beeing OT.

Kind regards

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org

_______________________________________________
cocoon-users mailing list
cocoon-users@lists.real-time.com
https://mailman.real-time.com/mailman/listinfo/cocoon-users