WebApp Sec mailing list archives
Re: Encrypted URL
From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Fri, 30 Jan 2004 17:40:10 -0500 (EST)
If all you're looking for is protection against query string/ post data "tampering" just signing it should be enough. A really simple example in PHP (untested):
<snip> It looks like what you're attempting to do is to send data from the server to the client, and ensure that the client sends the same data back. But you already know what the values are before sending them to the client, and you can read the values sent back from the client, so why sign the values, when you can just compare them before and after the post? Why jump through hoops trying to send static data to the client, when you can store and control everything on the server side? Stephen
Current thread:
- Encrypted URL lupin (Jan 30)
- Re: Encrypted URL Jeff Williams @ Aspect (Jan 30)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
(Thread continues...)