All, You could generate a "token"- an MD5 hashed random string that you then associate with the report and the user via a server-side DB.
Your client can then mail these URLs that have these tokens in them to your client's clients. The URL will be totally indecipherable and untamperable. You'd need to create a little app to generate and manage these tokens (or build it into your system) but that shouldn't be too bad. When a request comes in with a token attached, check it for validity against the DB and show, or don't show, based on what you find. This is pretty much how the backend of CGI::Session works, btw. -DJCP On Tue, 2003-10-07 at 05:43, Steve Comrie wrote: > Mark, > > The problem I'm having is that the report section of my app needs to be > viewable to users without a password (as per the client's request) but our > client has many clients, each of whom may have access to different reports. > Our client will be sending each client a URL for each report they are able > to view. > > I never really know which reports our client will deem viewable by which of > their clients, so I need an easy / secure way to make sure 'Client A' that > receives /report.cgi?id=200 can't URL hack the id=200 to be id=199 which may > be a report meant for 'Client B'. > > I could come up with a quick solution using crypt() on the reportid and > including the result in the arguments along with the report id: > /report.cgi?id=200enc=a23dj7923h or possible doing a simple encryption on > the report id itself /report.cgi?id=2dj872. I was just wondering what > techniques other people are using to get around this same challenge. > > --- > Steve Comrie > > ----- Original Message ----- > From: "Mark Stosberg" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, October 06, 2003 10:31 PM > Subject: [cgiapp] Re: URL Encryption > > > > On 2003-10-06, Steve Comrie <[EMAIL PROTECTED]> wrote: > > > I know there's a couple people on the list that have mentioned it before > and > > > I haven't had a use for it up until now, but what techniques / CPAN > modules > > > are being used to encrypt static URL's to prevent URL hacking? > > > > By static URL, I assume you mean a "GET" style query string, not just > > the URL of a static page. > > > > My applications tend to be (Postgres) database backed. Often I pass > > around primary ids of table rows (instead of the data). Or, if a user > > has some data that is specific to them, it can be stored in session > > table, and just the session_id is passed. Lately, I've been using > > CGI::Session for that, and I will be start using my own > > CGI::Session::PureSQL module with it soon. > > > > "PureSQL" stores data in the standard database way of one value per > > column, rather than the default CGI::Session method of serializing all > > the data into a Perl data structure in a single DB column. That will be > > released on CPAN once its cleaned up a bit. > > > > I noticed that someone wrote CGI::Session::Auth, which adds extra > > functions to check for "logged_In" and so forth. I may look more into > > that module as well. > > > > Mark > > > > -- > > http://mark.stosberg.com/ > > > > > > --------------------------------------------------------------------- > > Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ > > http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ > http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Dan Collis Puro GeekUprising Internet Consultants http://www.geekuprising.com [EMAIL PROTECTED] --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
