[FX.php List] Disallowing access thru modifying url?
Hal Gumbert
hal at macfl.com
Wed Apr 26 09:03:22 MDT 2006
On Apr 24, 2006, at 1:28 PM, Joel Shapiro wrote:
> What ways are there to limit record access to *only* clicked-on links?
>
> When I get a list of records, clicking on any one of them links to
> their respective url, e.g.:
> http://127.0.0.1/page.php?recid=1234
You might be able to deal with this in the same way some credit card
companies generate temporary credit card numbers for online purchases.
While generating the page for the user, add records to a
RecordsRequest table which act as an alias to the real record like so:
http://127.0.0.1/page.php?recreq=394598443986543394598443986543
http://127.0.0.1/page.php?recreq=239423048786676239423048786676
http://127.0.0.1/page.php?recreq=349349349766688349349349766688
- When they click on the the link, it would find the RecordsRequest
where it could find the real record id and then go on to find the
record of interest.
- If you made the recreq big enough it would be hard to guess one
that existed. Generating it could be as easy as choosing a random
single digit number/letter and appending twenty of them or so. Just
make sure the generated number doesn't already exist.
- You could also add a RecordsRequest expiration timestamp. After a
certain amount of time old RecordsRequest could be deleted.
Does this make sense? It would add a layer of complexity, but not too
much...
Hal
--
Hal Gumbert <hal at macfl.com> or <hal at mac.com>
MacFL <http://www.macfl.com>
- FileMaker 7 Certified Developer & FileMaker 8 Certified Developer
- Apple Certified ACTC 10.1, ACHDS 10.3, ACHDS 10.4
More information about the FX.php_List
mailing list