[FX.php List] Disallowing access thru modifying url?
Steve Winter
steve at bluecrocodile.co.nz
Wed Apr 26 16:36:30 MDT 2006
Joel,
I think that this solution which Hal has provided is an excellent one for
your needs, and is the way that I handle a very similar situation...
One thing that you might like to think about, Hal suggested;
> - You could also add a RecordsRequest expiration timestamp.
> After a certain amount of time old RecordsRequest could be
> deleted.
If you do do this, it does mean that legitimate users can't bookmark a page
to return to that page of your site another day. While this may not be a
problem in your situation, it did cause me problems with one solution I
developed...
Cheers
Steve
> On Apr 24, 2006, at 1:28 PM, Joel Shapiro wrote:
>
> > What ways are there to limit record access to *only* clicked-on
> links?
> >
> > When I get a list of records, clicking on any one of them links to
> > their respective url, e.g.:
> > http://127.0.0.1/page.php?recid=1234
>
> You might be able to deal with this in the same way some credit card
> companies generate temporary credit card numbers for online purchases.
>
> While generating the page for the user, add records to a
> RecordsRequest table which act as an alias to the real record like so:
>
> http://127.0.0.1/page.php?recreq=394598443986543394598443986543
> http://127.0.0.1/page.php?recreq=239423048786676239423048786676
> http://127.0.0.1/page.php?recreq=349349349766688349349349766688
>
> - When they click on the the link, it would find the RecordsRequest
> where it could find the real record id and then go on to find the
> record of interest.
> - If you made the recreq big enough it would be hard to guess one
> that existed. Generating it could be as easy as choosing a random
> single digit number/letter and appending twenty of them or so. Just
> make sure the generated number doesn't already exist.
> - You could also add a RecordsRequest expiration timestamp. After a
> certain amount of time old RecordsRequest could be deleted.
>
> Does this make sense? It would add a layer of complexity, but not too
> much...
>
> Hal
> --
> Hal Gumbert <hal at macfl.com> or <hal at mac.com>
> MacFL <http://www.macfl.com>
>
> - FileMaker 7 Certified Developer & FileMaker 8 Certified Developer
> - Apple Certified ACTC 10.1, ACHDS 10.3, ACHDS 10.4
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list