There are several layers of security: 1. Authentication. Login screen and cookie with domain scope gives trusted user id. Make the login screen SSL even if the rest of the app is plain HTTP, if you're concerned about protecting user passwords. You could generate a one time token per transaction if you're really paranoid and have a single-window application.
2. Application permission. Based on the user id, some concept of which of the following the user can access - applications (base controller perm check) - transactions by application (controller perm check) - data sets by application (model perm check) Throw an exception if the user tries to access something they shouldn't. Write Test::WWW::Mech / Selenium tests to verify the full range of access checks, run a smoke test daily and a release test. 3. Exploit attacks. Re-ask for password on critical screens. Be really careful about escaping form fields and anything that gets passed in as an SQL argument. Read up on Perl tainting. The biggest security threat is actually insider fraud, so try and design a system that you would struggle to break yourself, with checks and balances including a write-only audit trail. If you are serious about security, pay a security consultancy to audit your code and site. Hashing the URL will make life hard for you as a developer and won't necessarily stop black hats. Regards, Peter Dragonstaff Limited http://www.dragonstaff.com Business IT Consultancy -----Original Message----- From: Harshal Shah [mailto:[EMAIL PROTECTED] Sent: 19 May 2007 04:39 To: The elegant MVC web framework Subject: Re: [Catalyst] Encrypt /Decrypt URI > Ya, exactly. /item/3 isn't really the request -- it's <some hard to > guess md5 session> plus /item/3. Does adding a *second* md5 hash do > much more good? > well ..session id would authorize user to use the application . we would need additional query to determine if "/item/3/view" is accessible to user. something like "item.userid = $c->user->userid" in your query would serve the purpose. I was trying to avoid the query as far as possible by obfuscating URLs ..if user goes through this check ..u need to have a similar query to do actual authorization. -- Harshal Shah _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
