[FX.php List] Disallowing access thru modifying url?
steve at bluecrocodile.co.nz
Wed Apr 26 16:36:30 MDT 2006
I think that this solution which Hal has provided is an excellent one for
your needs, and is the way that I handle a very similar situation...
One thing that you might like to think about, Hal suggested;
> - You could also add a RecordsRequest expiration timestamp.
> After a certain amount of time old RecordsRequest could be
If you do do this, it does mean that legitimate users can't bookmark a page
to return to that page of your site another day. While this may not be a
problem in your situation, it did cause me problems with one solution I
> On Apr 24, 2006, at 1:28 PM, Joel Shapiro wrote:
> > What ways are there to limit record access to *only* clicked-on
> > When I get a list of records, clicking on any one of them links to
> > their respective url, e.g.:
> > http://127.0.0.1/page.php?recid=1234
> You might be able to deal with this in the same way some credit card
> companies generate temporary credit card numbers for online purchases.
> While generating the page for the user, add records to a
> RecordsRequest table which act as an alias to the real record like so:
> - When they click on the the link, it would find the RecordsRequest
> where it could find the real record id and then go on to find the
> record of interest.
> - If you made the recreq big enough it would be hard to guess one
> that existed. Generating it could be as easy as choosing a random
> single digit number/letter and appending twenty of them or so. Just
> make sure the generated number doesn't already exist.
> - You could also add a RecordsRequest expiration timestamp. After a
> certain amount of time old RecordsRequest could be deleted.
> Does this make sense? It would add a layer of complexity, but not too
> Hal Gumbert <hal at macfl.com> or <hal at mac.com>
> MacFL <http://www.macfl.com>
> - FileMaker 7 Certified Developer & FileMaker 8 Certified Developer
> - Apple Certified ACTC 10.1, ACHDS 10.3, ACHDS 10.4
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
More information about the FX.php_List