|
> > From: Joe Pluta > > > > Be careful here. This is not a very secure approach. While a user with a > browser may not be able to see or change hidden POST data, it's quite easy > for them to do a "view source" and copy the HTML into their own static page. > From that point, they can quite easily see and alter the contents of > "hidden" variables, then call the modified page up in their browser. This > is equivalent to changing the URL on a GET request. A little more work, but > not much. And even if you do manage to hide the source (there are ways, > especially in DHTML), it's not that difficult to write an HTTP client that > can spoof POST data. I'm pretty sure Brad Stone's GETURL goes a long way > towards that. > > Joe, excellent point. There are a few other things we do to encrypt somewhat the CGICDS using a daily changing 'webkey' but I won't go into detail on how it's implemented but even that method wouldn't work if the person did this on the same day. I havn't looked into ut yet but how can you hide the source using DHTML? Also, I'll take a close look at Brad's technique as I need this to be as secure as possible.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
