× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



First of all I would think you should restrict how many URL object calls which can be made via URL to your Apache site.

Then use SSL. Of course.

Then tie your session ID to an IP address and possibly a unique request ID as I think you may have already mentioned.

Then make your service program or CGI code smart enough to observe the security of your web session which is hopefully stored in a database server side.

You do make your service programs security and session aware don't you ?

Methods like OAuth also work off of security tokens.

Did you find that SOX reference to not using cookies or token ids yet ?

Regards,


Richard Schoen
Director of Document Management
e. richard.schoen@xxxxxxxxxxxxxxx
p. 952.486.6802
w. helpsystems.com
--------------------------------
Subject: Re: Question on QTEMP and CGI Jobs
From: Henrik Rützou <hr@xxxxxxxxxxxx>
Date: Sat, 4 Mar 2017 17:58:30 +0100

Richard

lets say your server has a SERVICE01.PGM that returns JSON with all your
customers and a
SERVICE02.PGM tha returns all your emplyees how do a sesion cookie prevent
a user that
snifs your SERVICE01.PGM URL to change it to SERVICE02.PGM?

Besides that cookies are changable by any who knows a little about how a
browser and
nodepad works.

-----Original Message-----
From: Richard Schoen
Sent: Saturday, March 4, 2017 10:21 AM
To: web400@xxxxxxxxxxxx
Subject: RE: Question on QTEMP and CGI Jobs

Can you point me to the SOX clause that says using a cookie is bad ?

I'm guessing you're tracking your session either by cookie or a hidden variable somewhere or a query string. No ?

Using cookies are only bad if you're storing lots of client side data in them and don't have appropriate back end logic in place to insure a session is not spoofed.

Don't make stupid assertions in relation to my use of cookies.

You've never seen me eat before so how would you know what I do with cookies ? :-)

Regards,

Richard Schoen
Director of Document Management
e. richard.schoen@xxxxxxxxxxxxxxx
p. 952.486.6802
w. helpsystems.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.