> From: Eric Frazier [mailto:[EMAIL PROTECTED]] > Sent: 12 June 2002 16:52
> I don't know this term "query hijack" can you put it in different words? Lets say your user who is the boss makes a query 'show me everyone's salary' and your system checks who he is, and because he is the boss, allocates query_id 1, issues the query and sends back page one with everyone's salary details. now some other user in the system can now say /query?query_id=1 and hijack the query results - i.e. they will see the results of the query, even though they should not be allowed to. If your security model is user centric, at a minimum you should put the user_id inside the query_id session, and only let the same user get the results from the saved query parameters. A better approach is to have the query ALWAYS authenticate the current user, then you won't ever give out data to the wrong person, and users can share query links that will work if they have the appropriate rights. from www.dictionary.com/search&q=hijack hijack n : seizure of a vehicle in transit either to rob it or divert it to an alternate destination [syn: highjack] v : take arbitrarily or by force; "The Cubans commandeered the plane and flew it to Miami" [syn: commandeer, highjack, pirate, expropriate] Regards Jeff
