Ya, exactly. /item/3 isn't really the request -- it's <some hard to guess md5 session> plus /item/3. Does adding a *second* md5 hash do much more good?
well ..session id would authorize user to use the application . we would need additional query to determine if "/item/3/view" is accessible to user. something like "item.userid = $c->user->userid" in your query would serve the purpose. I was trying to avoid the query as far as possible by obfuscating URLs ..if user goes through this check ..u need to have a similar query to do actual authorization. -- Harshal Shah _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/