[
Lists Home |
Date Index |
Thread Index
]
Elliotte Rusty Harold wrote:
> At 7:05 PM -0800 1/5/04, Robert Koberg wrote:
>
>>> In a truly individualized situation all that's needed are URLs of
>>> the form http://www.example.com/page.html?username=elharo
>>
>>
>>
>> Does your bank do this? If so, which bank do you use?
>> In other words, do you care if someone who knows or guesses your
>> username can access your individualized situation?
>
>
>
> You're missing a crucial point. The password which is also necessary for
> access is not included in the URL. The URI identifies the resource but
> it is not sufficient for access to the resource (unless that's what you
> want of course.
I must be missing something (definitely possible). If that URL is what
tells the server that the request is for a resource you would not like
others to access, then what does the password have to do with it? Or are
you saying there is some server session being maintained (and so
incurring all the overhead associated with it) (I doubt something like
amazon maintains sessions)? If so, and you use a username to access the
session, it still seems pretty insecure, at least during your active
session.
...don't know if this is the best, but...
I generally have a user log in to verify as you mention. Then after
authentication and before the next view is presented a user state object
is created, populated and serialized using some random session
identifier as the system id for the serialized object. Then the id is
passed to a transformation to render a hidden input in the form to be
submitted. The object can be deserialized on different machines to
spread the load.
-Rob
> There are less sensitive situations where I might well
> want to expose the contents of a personalized page to the world; e.g. my
> wish list at amazon.com)
>
|
