Tim Panton-Westpoint Ltd wrote:
> Just remember that malicious users
> can see/change hidden fields.
> If your application needs to be at all
> secure you should put the id into
> a session that is shared between the
> servlets.
Just remember that malicious users can see/change *anything* you pass to
them, whether it's in a hidden field, embedded in the URL, or in a
cookie. And encryption has no effect on a malicious user ... he can see
and manipulate *any* information you send him, if he wants to.
It's your job to make sure your resources aren't damaged or compromised
when a malicious user feeds it bogus information.
Pat
--
Patrick Timmins
[EMAIL PROTECTED]
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
