Bill Moseley wrote:
Using md5s for images, as in your example, is fine. But if the images
really needed to be protected then that scheme is purely security by
obscurity. That's what we were talking about -- the case where some
user might type in the next sequence and see someone else's data. If
the images belonged to users you would probably want to make sure the
request is authorized to view the image instead of relying on just
obscuring the url.
Adding layers of security are fine -- but you have to be careful that
the added complexity doesn't also make it easier to leave open a hole.
Totally agree, but we should note that to "make sure the request is
authorized to view the image" is usually dependent on the session ID,
and the session ID is nothing more than a difficult to guess string. ;-)
Maurice
_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/
