On Thu, Jan 10, 2008 at 11:41:54AM -0500, deep sky wrote:
> The variables in the html code can be viewed and someone can mimic the page
> and change the price and stuffs.
Don't store sensitive state in hidden form fileds pushed to the user's
browser. Merely encrypting the data is not a sufficient defense, it
needs to be signed *in contex*, otherwise various replay and substitution
attacks become interesting. Few developers are able to get this right and
keep it right through evolutionary updates. So the best practice is to
simply avoid this difficult problem entirely.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
