cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Nachbaur <>
Subject RE: [Cocoon Users] Off topic but imho important
Date Fri, 15 Sep 2000 14:32:45 GMT
Well, you'll have this exact same problem if you use Perl CGI/mod_perl, or even bourne shell
to handle your webpages.  The user can *ask* anything of the server they want to.  Its your
task as a responsible web developer (you are, aren't you?  ;)  to verify that the person who
is requesting that page is authorized to do so.

So, having the userid they're logged in as in some server-side state storage which is used
to cross-reference all their requests is a must.  Now, I'm a newbie to Cocoon, but this is
what I do with my mod_perl based website (using the Apache::Session module).  The concept
is similar, as long as you don't store any information in the user's cookie besides some sort
of GUID.

Michael A. Nachbaur (KE6WIA)
"Don't try to outweird me, three-eyes.  I get stranger things than you
free with my breakfast cereal."  -- Zaphod Beeblebrox

-----Original Message-----
From: Michael Bierenfeld []
Sent: Friday, September 15, 2000 6:06 AM
To: Cocoon User Mailing List
Subject: [Cocoon Users] Off topic but imho important

Hello out there,

I am having the following Problem. We are
currently developing a website where security is
very important. Guess the following situation.

XML - content :


transferred to HTML-content


The problem is that if the Browser display the
Page coming from Database. No one protects the
application from typing in the LOCATION-BAR :

=> user 110 is able to see the vital data from
user 4711. <=        IMPOSSIBLE !!!!!

Is there a way to hide the parameters in the
location bar. JavaScript is fine or maybe there is
a apache-setting. In the response Header or so. I
could imagine several ways :

- Using a sessionid and store the values in some
sort of HashTable
- Crypt the parametersvalues and send it together
with a funny hashcode to avoid hits by accident

Sorry for beeing OT.

Kind regards


To unsubscribe, e-mail:
For additional commands, e-mail:

cocoon-users mailing list

View raw message