Alex wrote:
I think using a hash value is the better solution
But this is security-by-obscurity, me thinks. If the client has a way of knowing/guessing the hash algorithm (e.g. if this is to be an open source application), then the client can just change both the value and the hash and thus pass validation. No, the server needs to store the value _on the server_, completely out of reach of the client, and associate it with the session somehow for this to be secure.
Peter -- Peter Valdemar Mørch http://www.morch.com -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
