On 13-05-2009 at 17:26, Richard Hauswald wrote: > Hey Marcus, > You are definitely right. I took the wrong example. Here's a better one: > User A has the right to see the details of a customer named Harry with > the database id 5. Typically he clicks a link to the details page > which contains the encryped id value as paramter. The details page > takes an id as parameter, queries the database for the customer with > the given id and renders its details to html. The user details are > cached in the session for faster response time if user A requests this > customer again. Stripes encrypts the id 5 of customer Harry to > tqFUzKpKj6g=. User A copies this id into his clipboard because he is > very l33t :-). > Then the admin revokes his right to view the details of customer Harry > and forces User to relogin(so the cache gets cleared). User A won't > see the link to the details of customer Harry anymore. So the server > does not write out the id 5 anymore. Now the l33t User A takes another > details link and replaces the encrypted id with the one from his > clipboard. And he will see the details of customer Harry.
No he won't, because the server checks if the id specified belongs to a customer he's allowed to see. Or at least I hope it does: security by obscurity never works reliably. The safest solution is not to encrypt anything going to the browser, but to verify everything coming from the browser. After all, never trust user input. And that includes normally hidden data. Encryption is still a good solution to prevent evesdropping and to prevent session hijacking. Oscar -- ,-_ /() ) Oscar Westra van holthe - Kind http://www.xs4all.nl/~kindop/ (__ ( =/ () DRM "manages access" in the same way that a jail "manages freedom". ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
