cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Bierenfeld <michael.bierenf...@atmiralis.de>
Subject Re: Off topic but imho important
Date Fri, 15 Sep 2000 13:33:45 GMT
Ulrich Mayring wrote:
> 
> mayring@denic.de wrote:
> >
> 
> > The simplest way to hide them is if you use POST instead of GET
> > parameters.
> 
> I think I should add this: of course, using POST (or whatever other
> method of hiding the parameters) still does not prevent someone from
> guessing your parameter name. So that alone does not improve security
> very much, you also have to do something like employ an authentication
> scheme and connect a session to it.
> 
> Ulrich
> 
> --
> Ulrich Mayring
> DENIC eG, Systementwicklung
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org

Hello,

it is pretty secure in terms of http and
authentification. The whole stuff runs over a
ssl-server with card identification. The ssl-proxy
stores the user identification/hash in the
http-header.

The whole application is a mixture of POST (Forms)
and GETS (urls builded dynamically). So I am realy
thinking to do it like this :

eg. GET-PARAMETERS :

  
http://www.somesite.com/index.xml?nUser=100&sPassword=honey

   will be 

  
http://www.somesite.com/index.xml?nUser=x3z&sPassword=urfnx&sHashCode=7485jgh7

   1) Crypt the Parametervalues
   2) Send it away whith a HashCode identifying
the original Params and that the url is comming
from a servlet/xsp

eg. POST:

   ?-) Does not apply :-).

Ill post the code if it is done.

Kind regards

Michael

Mime
View raw message