Mark, The problem I'm having is that the report section of my app needs to be viewable to users without a password (as per the client's request) but our client has many clients, each of whom may have access to different reports. Our client will be sending each client a URL for each report they are able to view.
I never really know which reports our client will deem viewable by which of their clients, so I need an easy / secure way to make sure 'Client A' that receives /report.cgi?id=200 can't URL hack the id=200 to be id=199 which may be a report meant for 'Client B'. I could come up with a quick solution using crypt() on the reportid and including the result in the arguments along with the report id: /report.cgi?id=200enc=a23dj7923h or possible doing a simple encryption on the report id itself /report.cgi?id=2dj872. I was just wondering what techniques other people are using to get around this same challenge. --- Steve Comrie ----- Original Message ----- From: "Mark Stosberg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 10:31 PM Subject: [cgiapp] Re: URL Encryption > On 2003-10-06, Steve Comrie <[EMAIL PROTECTED]> wrote: > > I know there's a couple people on the list that have mentioned it before and > > I haven't had a use for it up until now, but what techniques / CPAN modules > > are being used to encrypt static URL's to prevent URL hacking? > > By static URL, I assume you mean a "GET" style query string, not just > the URL of a static page. > > My applications tend to be (Postgres) database backed. Often I pass > around primary ids of table rows (instead of the data). Or, if a user > has some data that is specific to them, it can be stored in session > table, and just the session_id is passed. Lately, I've been using > CGI::Session for that, and I will be start using my own > CGI::Session::PureSQL module with it soon. > > "PureSQL" stores data in the standard database way of one value per > column, rather than the default CGI::Session method of serializing all > the data into a Perl data structure in a single DB column. That will be > released on CPAN once its cleaned up a bit. > > I noticed that someone wrote CGI::Session::Auth, which adds extra > functions to check for "logged_In" and so forth. I may look more into > that module as well. > > Mark > > -- > http://mark.stosberg.com/ > > > --------------------------------------------------------------------- > Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ > http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
