|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "tinyurl" url masking
From: Lincoln Yeoh (lyeoh
pop.jaring.my)
Date: Tue Sep 13 2005 - 08:27:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>Which shows that Gmail (which I use to write this email) is badly
>designed, logout should be used via a POST only...
Well I prefer to use url/form "signing" for certain actions in some of my
webapps.
Fake example:
http://somewhere.null/webapp?do=transfer&src=1234&dst=5678&amt=5551&sig=ac36d415b9fc2ffb68171185ef2bd7da
Where sig could be a crypto hash of: the parameters, the session cookie/id
value (making replay harder) and a site secret. You could even add a salt
if you want, or do more sophisticated stuff.
Of course, for high impact actions, you'd get a confirmation page -
clicking yes submits the necessary confirmation keys/signatures to match
some of the parameters sent.
In Gmail's defense, not protecting logout isn't so bad (you might disagree
if you just composed a long message and haven't saved or sent it and
somehow got logged out ;) ).
>I think that it would be easier to fix the issue in the browser, to
>have browsers not use cookies over a redirect? (thinking only at
>session related scenarios)
That would break a fair number of things, or make things fairly
inconvenient. HTTP 302 redirects are a very common tool for webapps.
Many sites have the target page of a login form redirect to a subsequent
page. This is to prevent a browser refresh from rePOSTing the credentials.
Otherwise if you don't close the browser (yes I know ;) ), someone could
click the browser back button till the page just after the login form,
click refresh, and the browser will repost the login form values.
Regards,
Link.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]