Werner, if you assume, that every user re-starts the webbrowser, you can get some security be requiering the user to enter a password and then use this to decrypt/encrypt the locally stored information.
there is a nice library takeing care of this: http://crypto.stanford.edu/sjcl/ cheers tobi > Hi all > > don't know if this is a concern for <all> but consider a very simple > hypothetical qooxdoo app serving users with different roles, namely 'user' and > 'admin'. The app is storing the users state locally, thus opening this > information to tampering with tools like Firebug and the likes such, that > 'admin' rights could be granted to a 'user' by manipulating the locally stored > state. > > With moving more and more state back to the webapp the practice of storing > this information locally in the running app's memory in an human readable form > becomes in my opinion more and more questionable. > > Options for a browser local store would include having a periodic or per > request cross check of hashes with the server > > - hashes across the sensitive but still open user info > - crypted cookies as store > - Steganograpic methods using an image as store > - ??? > > Opinions welcome! > > Thxs, Werner > -- Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland http://it.oetiker.ch [email protected] ++41 62 775 9902 / sb: -9900 ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
