Well put.
To "TRULY" make this safe to the user you would have to re-code ALL your
HTML (or forms/anchors) to use POST METHOD, and then do a check on the
HTTP_Referer to ensure that the page being submitted is truly coming from
your site, if not, redirect them to some login page. If you absolutely HAVE
to use a 'link' to pass information, make sure it's non sensitive
information, or, hide it by putting the sensitive information into a Session
Variable and then just reference the Session information instead of checking
the request.parameters every time.
As a further problem.. you can still open the cookies files, edit the info,
and re request the page that displays the info. So now you will even have to
take another step and URLEncode your links to use Server Side
cookies/Sessions so the user can't see, touch or change anything.
Another thing you should look out for is if you use UserId's that they are
not 'auto-incremented' from a database because then they are too easy to
guess. (Id=100115, 100116, 100117, 100118 etc) Make them your own customized
Alpha Numeric and assign them to the user upon registration (ID=A23d5G7,
ID=D2h57vb6 etc). This way it's almost impossible to guess unless you are
using some sort of brute force password/id checker. Since it's an ID, the
user doesn't really need to know it, they can login with their username and
pass and you can store the ID into a session variable.
If you use all the options mentioned above you will have a pretty secure
site, but, as you can tell you have to re-think how the site is currently
setup.
(Geez, how could I forget this.... Use SSL / HTTPS also) :)
As for hiding the variables you could use the Request Dispatcher method
loosely described by Geeta, but, unless I am missing something in the
explanation, the user STILL can change the queryString before it's processed
the first time.
I hope you weren't expecting an easy answer to this problem.
:)
> -----Original Message-----
> From: Andras Balogh [mailto:[EMAIL PROTECTED]]
> Sent: Monday, October 30, 2000 1:07 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Get to Post
>
>
> Hi,
>
> I have been following this thread and i just want to add
> some things:
>
> I think that you can't prevent in any way that a user
> that has acces to
> a page
> to send what from data he wants.
> Somebody could save the HTML locally and
> change ex. <input type="hidden" user_id="12"> to
> <input type="hidden" user_id="15">.
> I mean that this centence is unrealisable 100%:
> "I do not want someone to change the URL parameters and
> attempt to see someone else's details".
> My opinion that this approach is wrong, i would use an user
> autorization method
> like session or HTTP authentication and keep my user info in
> safe place not
> in hidden
> form fields.
> Also i use hidden fields myself, but (manually
> changing) the value of
> them (in worst case)
> it will have the side effect of an exception to be thrown
> but not illegal
> access or database
> inconsistency.
>
> p.s. Any comment is welcomed.
>
> Andras.
>
>
>
>
>
> ----- Original Message -----
> From: "vsr" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, October 30, 2000 2:56 PM
> Subject: Get to Post
>
>
> > Hi
> >
> > How can I convert a GET request to POST in the HTML
> > Page ?
> >
> > What I mean is that I do not want someone to change
> > the
> > URL parameters and attempt to see someone else's
> > details.
> >
> > Even if the user clicks on the link, it should
> > be sent as POST to the Servlet so that the user
> > cann't see the parameters in the URL.
> >
> > I have seen this before but couldn't re-collect.
> >
> > Thanks
> >
> >
> > =====
> > vsr
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Messenger - Talk while you surf! It's FREE.
> > http://im.yahoo.com/
> >
> >
> ______________________________________________________________
> _____________
> > To unsubscribe, send email to [EMAIL PROTECTED] and
> include in the
> body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives:
http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
