On Thu, Jul 10, 2003 at 01:29:06PM -0500, ryan whippo wrote: > I have an application that passes params around in the url. We need to > hide these for security reasons. We also don't want to have to change a > lot of code. Any ideas?
Yes... don't do this. Anything in the URL is visible, as is anything in a web page you send to a client that generated the form reply. If it's for security, keep the private data on the server, and refer to it with a "session ID". If you really must use a cgi parameter, use a hidden field on the form, and encrypt the data, including a checksum, so users can't easily change it. But assume that at least a few will find out how to change it anyway. Liam -- Liam Quin, W3C XML Activity Lead, [EMAIL PROTECTED], http://www.w3.org/People/Quin/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
