[Catalyst] Encrypt /Decrypt URI
Matija Grabnar
matija at serverflow.com
Fri May 18 16:31:51 GMT 2007
Matt S Trout wrote:
> The only use I can see for obfuscating the URL would be to convince a naive
> client that your app's more secure than it is (note as Bruce Schneier says,
> managing -perceived- security can be as important as managing -actual-
> security, but don't confuse the two :).
>
I see another use to obfuscating **part** of the URL: when you have
things you don't want the users enumerating. Like where you have
edit-item/(itemnumber). You DON'T want itemnumber to be a global counter
(for instance, the autoincrement id for the item table), because then a
black hat may find a way
to view other items simply by changing the item number in the URL. What
you want there is either an item number that is only unique within the
context of a given user, or an opaque identifier that doesn't make it
obvious what values would come before or after it.
But other than that, I don't see a good reason for obfuscating the URL,
either.
More information about the Catalyst
mailing list