> > From: Joe Pluta
> >
>
> Be careful here.  This is not a very secure approach.  While a user with a
> browser may not be able to see or change hidden POST data, it's quite easy
> for them to do a "view source" and copy the HTML into their own static
page.
> From that point, they can quite easily see and alter the contents of
> "hidden" variables, then call the modified page up in their browser.  This
> is equivalent to changing the URL on a GET request.  A little more work,
but
> not much.  And even if you do manage to hide the source (there are ways,
> especially in DHTML), it's not that difficult to write an HTTP client that
> can spoof POST data.  I'm pretty sure Brad Stone's GETURL goes a long way
> towards that.
>
>
Joe, excellent point.  There are a few other things we do to encrypt
somewhat the CGICDS using a daily changing 'webkey' but I won't go into
detail on how it's implemented but even that method wouldn't work if the
person did this on the same day.  I havn't looked into ut yet but how can
you hide the source using DHTML?  Also, I'll take a close look at Brad's
technique as I need this to be as secure as possible.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.