Am 15.06.2010 15:00, schrieb Peter Valdemar Mørch:
But this is security-by-obscurity, me thinks. If the client has a way of knowing/guessing the hash algorithm (e.g. if this is to be an open source application), then the client can just change both the value and the hash and thus pass validation. No, the server needs to store the value_on the server_, completely out of reach of the client, and associate it with the session somehow for this to be secure.
I don't think this is the right forum for this kind of discussion. However, client and user do not need to be the same in this case. And using a hash value is still way better than disabling firebug (and other tools that display hidden fields).
-- Erik Krause http://www.erik-krause.de -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
