Re: [struts-user] How to encrypt the url?
If your only requirement is that you can pass parameter only via get, take into consideration that you can recovery the session content through the jsessionid get parameter. >You should sha/md5 your password before sending it. This of course is >client side and you could do that with javascript. You could use this: > http://www.bichlmeier.info/sha256.html > Anyway, people might be able to snif this encrypted password and use > the encrypted version to login. I have been using a similar approach in an iPad application (where the client side provides something more than the simple javascript), in order to mitigate this kind of risk I chose to send a time based, salted hash, according with the challenge response authentication schema [1] I think this is a way to complicate your life, and you should do that only if it is strictly necessary (in my case the requirement was to remember the user authentication) [1] http://en.wikipedia.org/wiki/Challenge-response_authentication -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [struts-user] How to encrypt the url?
>> is logging out to the login screen, so I have to give links like >> >> http://localhost:8080/UNOT/User/ViewProfile.action?id=1&passwd > =643def90&app_login=Login >> >> So, is there any way to encrypt the url? > > Bad idea. But yes, and it is not a struts issue. So I will ask why can't you > use > a session? I would like to second that this is a bad idea. You should sha/md5 your password before sending it. This of course is client side and you could do that with javascript. You could use this: http://www.bichlmeier.info/sha256.html Anyway, people might be able to snif this encrypted password and use the encrypted version to login. The only benefit is they do not own the clear password, which might be used for other apps as email. Therefore you should go to https:// > > >> >> -- >> View this message in context: >> http://struts.1045723.n5.nabble.com/How-to-encrypt-the-url-tp4 > 644406p4644406.html >> Sent from the Struts - User mailing list archive at Nabble.com. >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> > > > > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100 - > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > -- http://www.grobmeier.de - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: [struts-user] How to encrypt the url?
> -Original Message- > From: log2akshat [mailto:akshat-...@iiitmk.ac.in] > Sent: Thursday, July 28, 2011 18:01 > To: user@struts.apache.org > Subject: [struts-user] How to encrypt the url? > > How can I encrypt parameters used in a URL. I cannot use POST > in these cases. Firstly, encryption is not a struts specific issue. > > I am working on a login application using session, where user > passes his registration ID & password to login. And after Ok, what is wrong with a session? > login there are various features like user can view his > profile, update his profile etc. But my problem is that when > in the menu if I am passing the links of the action then it Example? > is logging out to the login screen, so I have to give links like > > http://localhost:8080/UNOT/User/ViewProfile.action?id=1&passwd =643def90&app_login=Login > > So, is there any way to encrypt the url? Bad idea. But yes, and it is not a struts issue. So I will ask why can't you use a session? > > -- > View this message in context: > http://struts.1045723.n5.nabble.com/How-to-encrypt-the-url-tp4 644406p4644406.html > Sent from the Struts - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org