[FX.php List] How to avoid URL counterfeiting

Gjermund Gusland Thorsen ggt667 at gmail.com
Thu Jun 28 11:08:30 MDT 2007 

Never use md5() use sha1() instead.

ggt667

On 6/28/07, William Downs <william.downs at gmail.com> wrote:
> Thanks guys for all the suggestions - and thanks Joel for the thread -
>
> These values will vary throughout a user's session - as a Sales
> person, I have perhaps 10 contacts - I can view only these, as a
> manager I have 5 salespersons, I may view all of their contacts, but
> not those  from another sales team (centre) --
>
> I will have a look all the same at using a comparison in the session -
> I can re - set a session value when I land on the page.
>
> Will get back to you tomorrow
>
> William
>
> On 6/28/07, Joel Shapiro <jsfmp at earthlink.net> wrote:
> > Hi William
> >
> > Are the salesId and/or conID going to be unique per session, after
> > login perhaps?  If so, then you should be able to set them as session
> > variables (as you suggest) and leave them out of the URL altogether.
> > Your called page (filename.php) could then just use the session
> > variables in place of $_GET['salesId'] and/or $_GET['conID'].
> >
> > Or are these values going to vary throughout a user's session?
> >
> > Since you like looking at the archives... there was a thread I had
> > started on April 24, 2006 entitled "Disallowing access thru modifying
> > url?" that had some great responses.  (That was way early in my PHP
> > life... I didn't even know what the term GET meant -- yoiks! :)
> >
> > -Joel
> >
> >
> > On Jun 28, 2007, at 4:54 AM, William Downs wrote:
> >
> > > Hi guys -
> > >
> > > excellent breadth of knowledge here I have to say ! - but a lot of
> > > archive material to get through !
> > >
> > > I am forced sometimes to use header : Location:
> > > filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> > > (or a malicious one) may of course swap out the ids - what's the best
> > > method of not allowing this to happen ? - I will log them out of
> > > course if they try this :-)
> > >
> > > I am thinking about setting session variables and comparing them to
> > > the request variables, but is the correct method ?
> > >
> > > William
> > > --
> > > To see victory only when it is within the ken of the common herd is
> > > not the acme of excellence.
> > > _______________________________________________
> > > FX.php_List mailing list
> > > FX.php_List at mail.iviking.org
> > > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
>
>
> --
> William Downs
> Development and Support
> BD Databases Ltd
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list