Am 03.02.10 19:01, schrieb Alan Harris-Reid:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives clues as to how to bypass the
correct sequence of events, and could be risky if they entered the URL
directly (especially when it comes to deleting records).
Is there another way of passing a record-id to a method
a) without it appearing in the URL?
You can populate an invisible HTML-form with the values, and submit that
- of course you need javascript for this.
But this doesn't increase security a bit. Using an extension to FF such
as HTTP live headers, it's easy enough to figure out what parameters are
passed, and simply forge a request.
b) without the user being able to fathom-out how to attach which id to
which URL?
Paul already mentioned that - you can create a server-side,
session-stored action-item that is identified by a hash of some sort.
Then use that hash as parameter.
But I'd say you should instead make sure that your serve actions perform
authorization checking before performing any operations. Then you don't
need to worry - even guessing a hash argument won't work then.
As each link contains row-id, I guess there is nothing to stop someone
from getting the id from the page source-code. Is it safe to use the
above href method if I test for authorised credentials (user/password
stored as session variables, perhaps?) before performing the edit/delete
action?
You should of course always do that. Every http-action except login
should be guarded (unless you allow anonymous access of course).
Diez
--
http://mail.python.org/mailman/listinfo/python-list
