[FX.php List] How to avoid URL counterfeiting

William Downs william.downs at gmail.com
Thu Jun 28 09:53:38 MDT 2007


Thanks guys for all the suggestions - and thanks Joel for the thread -

These values will vary throughout a user's session - as a Sales
person, I have perhaps 10 contacts - I can view only these, as a
manager I have 5 salespersons, I may view all of their contacts, but
not those  from another sales team (centre) --

I will have a look all the same at using a comparison in the session -
I can re - set a session value when I land on the page.

Will get back to you tomorrow

William

On 6/28/07, Joel Shapiro <jsfmp at earthlink.net> wrote:
> Hi William
>
> Are the salesId and/or conID going to be unique per session, after
> login perhaps?  If so, then you should be able to set them as session
> variables (as you suggest) and leave them out of the URL altogether.
> Your called page (filename.php) could then just use the session
> variables in place of $_GET['salesId'] and/or $_GET['conID'].
>
> Or are these values going to vary throughout a user's session?
>
> Since you like looking at the archives... there was a thread I had
> started on April 24, 2006 entitled "Disallowing access thru modifying
> url?" that had some great responses.  (That was way early in my PHP
> life... I didn't even know what the term GET meant -- yoiks! :)
>
> -Joel
>
>
> On Jun 28, 2007, at 4:54 AM, William Downs wrote:
>
> > Hi guys -
> >
> > excellent breadth of knowledge here I have to say ! - but a lot of
> > archive material to get through !
> >
> > I am forced sometimes to use header : Location:
> > filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> > (or a malicious one) may of course swap out the ids - what's the best
> > method of not allowing this to happen ? - I will log them out of
> > course if they try this :-)
> >
> > I am thinking about setting session variables and comparing them to
> > the request variables, but is the correct method ?
> >
> > William
> > --
> > To see victory only when it is within the ken of the common herd is
> > not the acme of excellence.
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


-- 
William Downs
Development and Support
BD Databases Ltd


More information about the FX.php_List mailing list