[Catalyst] Encrypt /Decrypt URI

Peter Edwards peter at dragonstaff.com
Sat May 19 08:53:16 GMT 2007 

There are several layers of security:

1. Authentication. Login screen and cookie with domain scope gives trusted
user id. Make the login screen SSL even if the rest of the app is plain
HTTP, if you're concerned about protecting user passwords. You could
generate a one time token per transaction if you're really paranoid and have
a single-window application.

2. Application permission. Based on the user id, some concept of which of
the following the user can access
- applications (base controller perm check)
- transactions by application (controller perm check)
- data sets by application (model perm check)
Throw an exception if the user tries to access something they shouldn't. 
Write Test::WWW::Mech / Selenium tests to verify the full range of access
checks, run a smoke test daily and a release test.

3. Exploit attacks. Re-ask for password on critical screens. Be really
careful about escaping form fields and anything that gets passed in as an
SQL argument. Read up on Perl tainting.

The biggest security threat is actually insider fraud, so try and design a
system that you would struggle to break yourself, with checks and balances
including a write-only audit trail. If you are serious about security, pay a
security consultancy to audit your code and site. 
Hashing the URL will make life hard for you as a developer and won't
necessarily stop black hats.

Regards, Peter
Dragonstaff Limited  http://www.dragonstaff.com  Business IT Consultancy


-----Original Message-----
From: Harshal Shah [mailto:harshal.shah at gmail.com] 
Sent: 19 May 2007 04:39
To: The elegant MVC web framework
Subject: Re: [Catalyst] Encrypt /Decrypt URI

> Ya, exactly.  /item/3 isn't really the request -- it's <some hard to
> guess md5 session> plus /item/3.  Does adding a *second* md5 hash do
> much more good?
>

well ..session id would authorize user to use the application . we
would need additional query to determine if "/item/3/view" is
accessible to user. something like "item.userid = $c->user->userid" in
your query would serve the purpose.

I was trying to avoid the query as far as possible by  obfuscating
URLs ..if user goes through this check ..u need to have a similar
query to do actual authorization.


-- 
Harshal Shah

More information about the Catalyst mailing list