[Catalyst] Encrypt /Decrypt URI
mla
maurice.aubrey at gmail.com
Fri May 18 20:16:34 GMT 2007
Bill Moseley wrote:
> Using md5s for images, as in your example, is fine. But if the images
> really needed to be protected then that scheme is purely security by
> obscurity. That's what we were talking about -- the case where some
> user might type in the next sequence and see someone else's data. If
> the images belonged to users you would probably want to make sure the
> request is authorized to view the image instead of relying on just
> obscuring the url.
>
> Adding layers of security are fine -- but you have to be careful that
> the added complexity doesn't also make it easier to leave open a hole.
Totally agree, but we should note that to "make sure the request is
authorized to view the image" is usually dependent on the session ID,
and the session ID is nothing more than a difficult to guess string. ;-)
Maurice
More information about the Catalyst
mailing list