On Fri, May 18, 2007 at 12:16:34PM -0700, mla wrote: > Bill Moseley wrote: > >Using md5s for images, as in your example, is fine. But if the images > >really needed to be protected then that scheme is purely security by > >obscurity. That's what we were talking about -- the case where some > >user might type in the next sequence and see someone else's data. If > >the images belonged to users you would probably want to make sure the > >request is authorized to view the image instead of relying on just > >obscuring the url. > > > >Adding layers of security are fine -- but you have to be careful that > >the added complexity doesn't also make it easier to leave open a hole. > > Totally agree, but we should note that to "make sure the request is > authorized to view the image" is usually dependent on the session ID, > and the session ID is nothing more than a difficult to guess string. ;-)
Ya, exactly. /item/3 isn't really the request -- it's <some hard to guess md5 session> plus /item/3. Does adding a *second* md5 hash do much more good? -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/