WebApp Sec mailing list archives
RE: Encrypted URL
From: "scott wood" <swood () cambian com>
Date: Fri, 30 Jan 2004 11:05:36 -0800
We encrypted the query parameters in a case where we are sending out an email alert containing a URL that the user can click on. I thought this would provide a little extra insurance against any manipulations to the query parameters that the user might try and make to view unauthorized pages or data. But we also force the user to authenticate and then we do role-based authorization checks. So as long as the authorization checking is being done properly for every possible manipulation, the encryption doesn't provide any extra protection. But just in case it isn't, it seemed like a simple way to add some protection. scott --- scott wood swood at cambian dot com
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Brecrost Jones (Feb 02)