WebApp Sec mailing list archives

RE: Encrypted URL

From: "scott wood" <swood () cambian com>
Date: Fri, 30 Jan 2004 11:05:36 -0800

We encrypted the query parameters in a case where we are sending out
an email alert containing a URL that the user can click on. I thought 
this would provide a little extra insurance against any manipulations 
to the query parameters that the user might try and make to view 
unauthorized pages or data. But we also force the user to authenticate 
and then we do role-based authorization checks. So as long as the authorization 
checking is being done properly for every possible manipulation, the 
encryption doesn't provide any extra protection. But just in case it isn't,
it seemed like a simple way to add some protection. 

scott
---
scott wood    swood at cambian dot com

Current thread:

Re: Encrypted URL, (continued)
- - - Re: Encrypted URL B. Johannessen (Jan 30)
    - Re: Encrypted URL Michael Ströder (Feb 02)
  - Re: Encrypted URL Kenneth Peiruza (Feb 02)
    - Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
  - Re: Encrypted URL Daniel Souza (Jan 30)
    - Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
  - RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
  - Re: Encrypted URL Jeremiah Cornelius (Feb 02)
  - Re: Encrypted URL Fred van Engen (Feb 02)
    - Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Brecrost Jones (Feb 02)