-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thorsten,
[EMAIL PROTECTED] wrote:
> However, what happens if a user logs
> in, but then submits an arbitrary id - this would enable him to see orders
> from
> other users! How can such security lacks be avoided best?
I'm assuming that you are stori
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> What's the best way to avoid this situation?
Um... Store the user ID with the order # (which you should be doing
anyway) and make sure they match?
Dave
-
To unsubscribe, e-mail
1. encode user id in the order id you store in the db:
user-id 123
relative order-id 41
stored order-id = 123-41
this way he has no chance to request an order from another user ever,
since even he sends 51 to check for order 51 of user 456 the system
will look up for 123-51 instead of 456-51.
2.
No, I mean that I am a user and log in as usual. I can see that my orders have
id's such as 5, 10 and 42. Now I trick a little bit and send another id, say 41
(which is an order of another user), and without a check the action would show
me this order. What's the best way to avoid this situation?
Just to clarify things, do you mean another user sending your
sessionId stored in your cookie to the shop?
leon
On 1/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi,
The question I have is not purely specific to Struts, but I expect that it's a
common problem for Struts users. Suppose yo
5 matches
Mail list logo
