[Catalyst] Encrypt /Decrypt URI
Bill Moseley
moseley at hank.org
Fri May 18 20:33:45 GMT 2007
On Fri, May 18, 2007 at 12:16:34PM -0700, mla wrote:
> Bill Moseley wrote:
> >Using md5s for images, as in your example, is fine. But if the images
> >really needed to be protected then that scheme is purely security by
> >obscurity. That's what we were talking about -- the case where some
> >user might type in the next sequence and see someone else's data. If
> >the images belonged to users you would probably want to make sure the
> >request is authorized to view the image instead of relying on just
> >obscuring the url.
> >
> >Adding layers of security are fine -- but you have to be careful that
> >the added complexity doesn't also make it easier to leave open a hole.
>
> Totally agree, but we should note that to "make sure the request is
> authorized to view the image" is usually dependent on the session ID,
> and the session ID is nothing more than a difficult to guess string. ;-)
Ya, exactly. /item/3 isn't really the request -- it's <some hard to
guess md5 session> plus /item/3. Does adding a *second* md5 hash do
much more good?
--
Bill Moseley
moseley at hank.org
More information about the Catalyst
mailing list