|
Yes,
https will basically eliminate the possibility of someone in the middle doing a
malicious attack, but the best thing is to secure all the layers seperately, so
if someone does get past what you might think would be the https secure layer,
there's still other measures in place to catch them.
Ok wait. I have not thought this all the way
though I think. The kind of attack was thinking of was where a hostile user
taped the stream mid flow. Somehow between the end user and the server. Since
the pages are encrypted with https then they (the hostile) should not be able
to do anything yes? An if the bandit has the users authentication information
then there really is not much you can do no? You know for a meeting idea I'd
really like to hear what the big boys are doing security wise. All the books I
have the security is pretty lame and basic.
A.
----- Original Message -----
Sent: Tuesday, August 12, 2003 11:05
AM
Subject: RE: [KCFusion] security
question
You may want to do everything through a stored procedure(s). As part
of that stored procedure you could create multiple sql queries one of which
can be an audit trail.
Another way is to present the material to be deleted as a table with
a checkbox for each row. Then have the user select each
individual record. Pass the information to a cftag that does the delete.
this reduces the opportunity for a user to randomly type anything in and
allows you to implement a validation routine.
Another item to explore is to use the https if security is a concern.
Can't say I have experience with it but given your description that might be
a method to investigate.
Oh and just to elemenate confusion Im trying
to come up with a SAFE method..not a save method.
A.
----- Original Message -----
Sent: Tuesday, August 12, 2003
10:48 AM
Subject: Re: [KCFusion] security
question
Im sorry I was in a hurry and should have
explained this better. For the first time I am faced with allowing users
to delete info from a database. I am trying to come up with a save
method for doing that. In other words I don't want people to just type
random numbers in a query string and start erasing stuff. Most of the
measures I have come up with so far are easily defeated. I had
considered putting the primary key of the tuple to be deleted in a
hidden form field but if you can alter the info sent in a post request
(and I think I read somewhere that you could) then that measure is kinda
lame too. the best I've got so far is that the user can only delete
those tuples that are related to their login.
A.
----- Original Message -----
Sent: Tuesday, August 12, 2003
11:33 AM
Subject: RE: [KCFusion] security
question
I don't know of a way to say make IE send different request
headers, but if you're trying to test something, wouldn't cfpost
work?
Is is possible to alter the information
that is sent in the headers of a POST request?
A.
|
