Archive of UserLand's first discussion group, started October 5, 1998.

Web App Security

Author:Edd Dumbill
Posted:5/12/2000; 7:01:45 AM
Topic:scriptingNews outline for 5/12/2000
Msg #:17237 (In response to 17229)
Prev/Next:17236 / 17238

My assertion that there is no 100% solution for the general case with current web technology.

As you noted the other day, the referrer solution doesn't work for browsers that send no referrer, or people who don't have referrer sending enabled.

So, while Manila has a fix, the larger problem remains, particularly on web sites where trusted and untrusted users both have write permissions, and a mix of GET/POST administrative effects.

The future needs a better web security model than the one we've got at the moment. Browsers need to have a feature where they'll only send session information when referred to from the same "zone" (however you end up defining a zone...), in the same way that encoding session info in the URL currently works as a solution to this issue.

I certainly don't have all the answers, but I hope people who create the browser technology can work together on this one.

There are responses to this message:

This page was archived on 6/13/2001; 4:55:10 PM.

© Copyright 1998-2001 UserLand Software, Inc.