Right: an integer id is not sensitive information. The problem arises
(as in your original example), when a malicious user can edit the URL to
change the id to another that he is not allowed to see, and your
application lets him see it. It's that last part you have to prevent.
After using
On 7/14/07, Rogelio <[EMAIL PROTECTED]> wrote:
> yet. I guess I was
> thinking that even if the user was logged in, the URL still would be
> showing potentially
> sensitive info. I was thinking maybe I needed to create some random
> sequence of
> letters/numbers, store that in a model field and
Thanks for the replies. No, I haven't incorporated authentication
yet. I guess I was
thinking that even if the user was logged in, the URL still would be
showing potentially
sensitive info. I was thinking maybe I needed to create some random
sequence of
letters/numbers, store that in a model
> So my newbie question is: Is there a way a better way to design/
> obfuscate the URL scheme when dealing with sensitive information? I
> know once I get some sort of authentication in place that will help,
> but the idea of showing sensitive info in a URL still has me
> concerned.
The
Are you using authentication? It's better to handle security policies
in your application instead of hiding informations in URLs
Have a look at http://www.djangoproject.com/documentation/authentication
Bye,
Massimo
--~--~-~--~~~---~--~~
You received this message
Hi,
I'm starting to write a grade book type application. There will be
many teachers that will be logging in to access their student
records. The student record will contain student grades and sensitive
info such as student ID number. In the model each teacher will have a
primary key (pk) and
6 matches
Mail list logo