[Catalyst] Re: fine Authentication
Jürgen Peters
taulmarill at xgn.de
Thu Aug 4 17:42:44 CEST 2005
On Thu, 4 Aug 2005 18:14:14 +0300, Vlad Bazon wrote
> Of course! You are always right ...
>
> On the other hand, in order to avoid to <manually> modify the data of
> a other user - a solution could be the (banal) extension of the
> controller code with:
>
> sub do_edit {
> my ( $self, $c ) = @_;
> # the "extension" for prevent GET ("manually") requests
> if ($c->req->method eq "GET") {
> $c->req->action(undef);
> $c->stash->{message}="aaa"; # You must not modify the
> others' data! return $c->forward('/login/login'); } .....
>
> Am I wrong?
yes, you are. many users are able to save and edit the html page to fake a
POST request. and thats just the trivial way. being a programmer, i could
always write a perlscript which pretends to be a browser doing a POST request.
and that's not hard to do either, even for script kiddies.
just use serious authentication which requires some hard guessable information
from the user. everything else is rubbish.
___
Jürgen
More information about the Catalyst
mailing list