|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gabriel Lawrence (gabe_at_butterflysecurity.com)
Date: Wed Jul 10 2002 - 14:37:24 CDT
Post is always good, but the problem with it is that it prevents people
from bookmarking a page...
So, for instance its good that yahoo passes the stocks you want quotes
from as a get string because I can just book mark that page and then get
my quotes from them daily.
The thing to really look out for when you are passing information around
is to remember that you cannot trust anything that happens on the client
side to remain the same and to validate properly.
Get methods invite the casual user to tinker, but the post method
doesn't do anything to prevent a savvy user from tinkering.
As far as querystring vs hidden goes, the querystring version may appear
in certain places on the users UI depending on browser and how you go
about doing it... This may invite users to tinker, but a savvy user is
going to see the hidden values anyway...
So, I guess my answer is trust no one. If you use hidden values to track
some kind of state you need to revalidate the validity of that state
when it is returned.
Example from the real world:
At a previous company we had a task list web app. The task list allowed
users to edit tasks. There were access controls so that they should only
be able to see certain tasks. So the edit screen would send down the
data, and a hidden id field. Well, in this case the person didn't check
the id before sending the changes for the edited field back to the
server. It would be best to obscure this informaiton completly by using
some kind of session based id that had no real relationship, but if you
do have to send it through the client the trick is to make sure on the
flip side that the id you get back is really one that the user can
edit...
Kind of a trivial example, but a real world one so I thought I'd throw
it in... And yes, this one was caught in QA, not in production :-)
=gabe
On Wed, 2002-07-10 at 11:36, Steven Fling wrote:
> Our application communicates across various application server environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters back and forth. Naturally we use SSL to encrypt the request/response.
>
> I wanted to see if there were any Best Practices established to transfer data in this fashion. POST vs. GET method, querystring vs. hidden form variable, etc.
>
> Any insight would be appreciated!
>
> ____________________________________
> Steve Fling
> Managing Architect - Web Development
> OppenheimerFunds, Inc.
> sfling
oppenheimerfunds.com
> Office: 303.768.3200
> FAX: 303.768.1096
> http://www.oppenheimerfunds.com
> ____________________________________
>
>
> This electronic mail transmission may contain confidential information and is intended only for the person(s) named. Any use, copying or disclosure by any other person is strictly prohibited. If you have received this transmission in error, please notify the sender via e-mail.
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]