Andras:
What you write:
I mean that this centence is unrealisable 100%:
"I do not want someone to change the URL parameters and attempt to see
someone else's details".
I agree with entirely. i think the original poster is trying to get encryption
going for just that reason. But in fact seeing the names of the querystring
vars in the original link may be dangerous, because the user could use trial
and error to look at someone else's data, which is what i believe you are
saying (and if the values can be guessed, then encryption on just the values
wont help..). So i think you have a good point: HTTP authenticating and/or
using session vars is an easier (and maybe more conventional?) way to go.
However, his other goal:
>Even if the user clicks on the link, it should
> be sent as POST to the Servlet so that the user
> cann't see the parameters in the URL.
If this means, that he doesnt want the url displayed on his broswer URL
location (this may also be for aesthetic reasons..) this can in fact be
achieved as i outlined earlier.
Geeta
Andras Balogh wrote:
> Hi,
>
> I have been following this thread and i just want to add some things:
>
> I think that you can't prevent in any way that a user that has acces to
> a page
> to send what from data he wants.
> Somebody could save the HTML locally and
> change ex. <input type="hidden" user_id="12"> to
> <input type="hidden" user_id="15">.
> I mean that this centence is unrealisable 100%:
> "I do not want someone to change the URL parameters and
> attempt to see someone else's details".
> My opinion that this approach is wrong, i would use an user
> autorization method
> like session or HTTP authentication and keep my user info in safe place not
> in hidden
> form fields.
> Also i use hidden fields myself, but (manually changing) the value of
> them (in worst case)
> it will have the side effect of an exception to be thrown but not illegal
> access or database
> inconsistency.
>
> p.s. Any comment is welcomed.
>
> Andras.
>
> ----- Original Message -----
> From: "vsr" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, October 30, 2000 2:56 PM
> Subject: Get to Post
>
> > Hi
> >
> > How can I convert a GET request to POST in the HTML
> > Page ?
> >
> > What I mean is that I do not want someone to change
> > the
> > URL parameters and attempt to see someone else's
> > details.
> >
> > Even if the user clicks on the link, it should
> > be sent as POST to the Servlet so that the user
> > cann't see the parameters in the URL.
> >
> > I have seen this before but couldn't re-collect.
> >
> > Thanks
> >
> >
> > =====
> > vsr
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Messenger - Talk while you surf! It's FREE.
> > http://im.yahoo.com/
> >
> >
> ___________________________________________________________________________
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > Resources: http://java.sun.com/products/servlet/external-resources.html
> > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
