> That's one more reason why I use UUID's for my object ids. They're > harder to spoof.
Security by obscurity :-) Checking the URL is not an option ... any web app claiming to be secure must do that no what what the surrogate database key looks like *imho* Also, if the userID is the id of the currently logged in user why not just store it in your wicket session when logging on to make it inaccessible for the client and prevent spoof altogether? Am 02.11.2010 um 05:29 schrieb James Carman: > On Mon, Nov 1, 2010 at 11:30 PM, Jeremy Thomerson > <jer...@wickettraining.com> wrote: >>> >> And, of course, it opens you up to doing more security checks.... i.e., you >> have editUserProfile.html?userID=123 - now you have to check that the signed >> in person is allowed to edit whatever user they are trying to edit (since >> they can twiddle the URL). >> > > That's one more reason why I use UUID's for my object ids. They're > harder to spoof. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org