Archive of UserLand's first discussion group, started October 5, 1998.

zope security alert

Author:Jamie Scheinblum
Posted:5/9/2000; 8:16:16 PM
Topic:zope security alert
Msg #:17139
Prev/Next:17138 / 17140

It seems that this problem has been solved, in two ways...

1) if the server only performs content changes with a POST request, it becomes significantly more difficult to force damaging changes in the url query string

2) unique session identifiers in the url would keep outsiders from sending the links to make damaging changes. This would require the hostle link to know the current seesion id, which is unlikely.

At least a combonation of the two would make it more difficult to pull of that trick, and be easier/eloquent to implement than refer checks.

-js


There are responses to this message:


This page was archived on 6/13/2001; 4:55:08 PM.

© Copyright 1998-2001 UserLand Software, Inc.