Another easy change, wich would improve security definitely not guarantee it, is to make the servlet only listen to POSTs and not GETs. (only implement doPost and not doGet).
Mattias Jiderhamn Expert Systems [EMAIL PROTECTED] > -----Original Message----- > From: Vibha Jindal [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 01, 2001 7:01 AM > Subject: Security Issue - Urgent > > > Hi, > > I am using the Post method to submit my form to a Servlet. I > am also using > hidden variables to set certain values that I get and interpret in my > servlet. > > e.g., > > function undoData() > { > document.Form.hdFlagAction.value = "0"; > document.Form.hdAuditId = "1234 > document.Form.method = 'POST'; > document.Form.action = "/NASApp/wisper/AuAuditorsSrv"; > document.Form.submit(); > } > > Now, all that is displayed in the URL is, > http://157.227.15.228/NASApp/wisper/AuAuditorsSrv > > But, if the user just changes teh URL, e.g., makes it > http://157.227.15.228/NASApp/wisper/AuAuditorsSrv?hdAuditId=10 07, he can see the details of the AuditId 1007, though, since this wasn't his audit, he shouldn't have been able to see these details. Can anyone please help me and let me know, if I can do something in my servlet to ignore all that the user enters in the URL ? Regards, Vibha =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
