Hi alldon't know if this is a concern for <all> but consider a very simple hypothetical qooxdoo app serving users with different roles, namely 'user' and 'admin'. The app is storing the users state locally, thus opening this information to tampering with tools like Firebug and the likes such, that 'admin' rights could be granted to a 'user' by manipulating the locally stored state.
With moving more and more state back to the webapp the practice of storing this information locally in the running app's memory in an human readable form becomes in my opinion more and more questionable.
Options for a browser local store would include having a periodic or per request cross check of hashes with the server
- hashes across the sensitive but still open user info - crypted cookies as store - Steganograpic methods using an image as store - ??? Opinions welcome! Thxs, Werner
<<attachment: werner.vcf>>
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
