Re: Hiding Contexts

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 36462
interpreted = N
texte = on 23.08.2000 21:19, Steve Dannaway at smdannaway@ualr.edu wrote:> So what I've whipped up is another version of our templates that allows a > client to check their account. Since I'm on Typhoon, I did this with a > context. In case I'm not using the correct terminology, this is what I am > talking about: . > > What I have found, however, is that someone with a little knowledge of HTML > can download the form, modify the client name and then gain access to > another client's account.First, use long and meaningless ID's rather then real names.Second, each client has to have a login. Write some code to check the permission and [include] it on top of every page.For example: [include /_includes/checkaccess]And this would be the file checkaccess: [search db=clients.db&eqDB_USERdatarq=[username]&eqDB_PASSdatarq=[password]] [showif [numfound]=0] [authenticate] [/showif] [/search]DB_USER and DB_PASS are two fields of your database. [username] and [password] ask the browser for this values. Everytime the browser doesn't have the correct data, the authentication window pops up. Additionally you might check the referrer on each page wether the request comes from within your site or not. Remember, if one tries to cheat, his faked form can not be on your sever... [hideif [getmimeheader host]^www.iea.ualr.edu] Please stop this immediately, you are already in the log.
I believe you know what we mean.
If not, call the system administrator. [/hideif] I would immediately send a mail and/or pager message to the administrator, including IP address, username, password, mimeheaders, everything you can get from this guy.Peter ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Hiding Contexts (Peter Ostry 2000)
  2. Re: Hiding Contexts (John Butler 2000)
  3. Re: Hiding Contexts (Peter Ostry 2000)
  4. Re: Hiding Contexts (Kenneth Grome 2000)
  5. Hiding Contexts (Steve Dannaway 2000)
on 23.08.2000 21:19, Steve Dannaway at smdannaway@ualr.edu wrote:> So what I've whipped up is another version of our templates that allows a > client to check their account. Since I'm on Typhoon, I did this with a > context. In case I'm not using the correct terminology, this is what I am > talking about: . > > What I have found, however, is that someone with a little knowledge of HTML > can download the form, modify the client name and then gain access to > another client's account.First, use long and meaningless ID's rather then real names.Second, each client has to have a login. Write some code to check the permission and [include] it on top of every page.For example: [include /_includes/checkaccess]And this would be the file checkaccess: [search db=clients.db&eqDB_USERdatarq=[username]&eqDB_PASSdatarq=[password]] [showif [numfound]=0] [authenticate] [/showif] [/search]DB_USER and DB_PASS are two fields of your database. [username] and [password] ask the browser for this values. Everytime the browser doesn't have the correct data, the authentication window pops up. Additionally you might check the referrer on each page wether the request comes from within your site or not. Remember, if one tries to cheat, his faked form can not be on your sever... [hideif [getmimeheader host]^www.iea.ualr.edu] Please stop this immediately, you are already in the log.
I believe you know what we mean.
If not, call the system administrator. [/hideif] I would immediately send a mail and/or pager message to the administrator, including IP address, username, password, mimeheaders, everything you can get from this guy.Peter ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Peter Ostry

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2 beta 11 - new prefs ... (1997) WebCatalog [FoundItems] Problem - AGAIN - (1997) File not found error message (1998) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) WebDNA 4.5 not starting on boot? (2002) Search Questions (2000) [CART] inside a [LOOP] (1997) Help! WebCat2 bug (1997) [WebDNA] Triggers issue, or sendmail? (2012) restart needed???? (1997) Help! WebCat2 bug (1997) WebCatalog can't find database (1997) blank page from template (1997) Web*3 virtual hosting Webcatalog problem (1998) Plugin or CGI or both (1997) Stinkin' [Referrer] (1998) Showif, Hideif reverse logic ? (1997) 4.0 upgrade pricing (2000) Resume Catalog ? (1997) The Form authentication trick (2000)