On Fri, May 18, 2007 at 08:29:18AM +0530, Harshal Shah wrote:
just tryin to hide URLs from users ..
That's not good enough. Most web browsers will show the page title as
well as the URI in lists like tab lists and history. You also need to
cipher the title tag on every page, to ensure your app
Hi Chisel,
just didn't want user to see the url details.to prevent unauthorized
access...
I know authorization plugin does the same ..but i had too many rules and
conditions..so I thought it would be lot simpler if users can't figure out
the urls ..
but i think ..its better to stick with
On Fri, May 18, 2007 at 08:29:18AM +0530, Harshal Shah wrote:
just tryin to hide URLs from users ..
If you don't want users to see URLs, why are you writing a web-app?
--
Chisel Wright
e: [EMAIL PROTECTED]
w: http://www.herlpacker.co.uk/
Brownian motion: the motion of money from individuals'
On Fri, May 18, 2007 at 03:35:21PM +0530, Harshal Shah wrote:
Hi Chisel,
just didn't want user to see the url details.to prevent unauthorized
access...
I know authorization plugin does the same ..but i had too many rules and
conditions..so I thought it would be lot
On Fri, May 18, 2007 at 03:35:21PM +0530, Harshal Shah wrote:
Hi Chisel,
just didn't want user to see the url details.to prevent unauthorized
access...
I know authorization plugin does the same ..but i had too many rules and
conditions..so I thought it would be lot simpler if users
Hi Matt,
sorry for misleading ..but my problem is quite similar to
http://www.mail-archive.com/catalyst@lists.rawmode.org/msg01940.html
I got it to work by keeping my auth code in auto ..its just that ..I had
seen a mod_perl application ..which use to encrypt urls to add one more
level of
On Fri, May 18, 2007 at 06:38:37PM +0530, Harshal Shah wrote:
Hi Matt,
sorry for misleading ..but my problem is quite similar to
http://www.mail-archive.com/catalyst@lists.rawmode.org/msg01940.html
I got it to work by keeping my auth code in auto
A mixture of chained, controller base
Matt S Trout wrote:
The only use I can see for obfuscating the URL would be to convince a naive
client that your app's more secure than it is (note as Bruce Schneier says,
managing -perceived- security can be as important as managing -actual-
security, but don't confuse the two :).
I see
On Fri, May 18, 2007 at 05:31:51PM +0200, Matija Grabnar wrote:
I see another use to obfuscating **part** of the URL: when you have
things you don't want the users enumerating. Like where you have
edit-item/(itemnumber). You DON'T want itemnumber to be a global counter
(for instance, the
Matija Grabnar wrote:
Bill Moseley wrote:
What you are proposing is if item 7 is instead encoded as
84bc3da1b3e33a18e8d5e1bdd7a18d7a then they are less likely to try
other numbers because of, ... why? Because it's too daunting of a task?
It's a big scary md5 instead of a primary key?
Bill Moseley wrote:
What you are proposing is if item 7 is instead encoded as
84bc3da1b3e33a18e8d5e1bdd7a18d7a then they are less likely to try
other numbers because of, ... why? Because it's too daunting of a task?
It's a big scary md5 instead of a primary key?
Well, in a way. Because the
On Fri, May 18, 2007 at 07:55:35PM +0200, Matija Grabnar wrote:
Bill Moseley wrote:
What you are proposing is if item 7 is instead encoded as
84bc3da1b3e33a18e8d5e1bdd7a18d7a then they are less likely to try
other numbers because of, ... why? Because it's too daunting of a task?
It's a big
Bill Moseley wrote:
Using md5s for images, as in your example, is fine. But if the images
really needed to be protected then that scheme is purely security by
obscurity. That's what we were talking about -- the case where some
user might type in the next sequence and see someone else's data.
On Fri, May 18, 2007 at 12:16:34PM -0700, mla wrote:
Bill Moseley wrote:
Using md5s for images, as in your example, is fine. But if the images
really needed to be protected then that scheme is purely security by
obscurity. That's what we were talking about -- the case where some
user might
Bill Moseley wrote:
Last time I checked there were an infinite of integers. (And I'm not
planning on counting them again.)
I feel that we are talking past each other. Perhaps I was insufficiently
clear in my writing.
I don't have a special preference for alphabetic strings over numeric
Ya, exactly. /item/3 isn't really the request -- it's some hard to
guess md5 session plus /item/3. Does adding a *second* md5 hash do
much more good?
well ..session id would authorize user to use the application . we
would need additional query to determine if /item/3/view is
accessible to
Hello,
I am trying to encrypt / decrypt all the paths used in my application
for encrypting , i simply overloaded uri_for method to return encrypted
link..
however..I did not find any clean (simple) way to decrypt the same .
Heres what I am doing as of now..
sub prepare_path {
##
On Thu, May 17, 2007 at 07:17:40PM +0530, Harshal Shah wrote:
I am trying to encrypt / decrypt all the paths used in my application
is there a better way to do this ??
Er ... don't encrypt the URI in the first place and use normal authentication?
I can't think of a case where what you're
One idea is to not encrypt the URI but MD5 it to prevent URL
tampering. Another layer of security for authorization.
On May 17, 2007, at 2:26 PM, Matt S Trout wrote:
On Thu, May 17, 2007 at 07:17:40PM +0530, Harshal Shah wrote:
I am trying to encrypt / decrypt all the paths used in my
Hi Matt,
just tryin to hide URLs from users ..
Harshal Shah
On 5/18/07, Matt S Trout [EMAIL PROTECTED] wrote:
On Thu, May 17, 2007 at 07:17:40PM +0530, Harshal Shah wrote:
I am trying to encrypt / decrypt all the paths used in my application
is there a better way to do this ??
Er ...
20 matches
Mail list logo