Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Mitra <mi...@mi...> - 2003-01-12 21:17:05
|
Its a good point, I was trying to think of security holes in it. I think this is a bit of a non-worry for a number of reasons. 1: Most browsers don't send referer URLs any more - really annoying when you are trying to track things down. 2: The hacker would have to be on a site you linked to, and react within three hours. I just don't see this as a big security hole. - Mitra At 10:05 PM +0100 12/1/03, Honza Malik wrote: >On Ne, 2003-01-12 at 02:08, Mitra wrote: >> The biggest change is that _#EDITITEM should now work in most cases >> outside of the admin interface, with the user being prompted for a >> userid/password and then returned back to where they came from. > >It's nice. Thanks Mitra. > >Just one note: It's not secure to add AA_CP_Session to urls outside of >AA Admin interface (like in FAQ). If there is any link to any other >webpage (in FAQ), it is possible to get your session id (AA_CP_Session) >from 'Referer' field. With this id (or url) you are able to access AA >admin pages without login (for 3 hours, when session id expires). > >I would probably prefer to create the link without the session id (with >f_e) as default (so users have to log in on every item edit) and then >maybe create optional f_e for those admins, who knows about this problem >and don't care. At least we have to mention it in the FAQ. > >What you think? > > Honza > >> - Mitra >> >> >> >> 01/12/02 - changed site module to go to prior sibling when deleting >> rather than parent >> 01/12/02 - added default $item=null to new_unalias_recurent to allow >> calling from site module without warnings >> 01/12/02 - fixed adding AA_CP_Session to url in site module AAPage >> where it is already there. >> 01/12/02 - changes to allow _#EDITITEM to be used outside of admin interface >> 01/12/02 - combined several ways of redirecting to a URL into common >> function go_return_or_url > > > >------------------------------------------------------- >This SF.NET email is sponsored by: >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! >http://www.vasoftware.com >_______________________________________________ >Apc-aa-coders mailing list >Apc...@li... >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders -- Mitra Technology Consulting - www.mitra.biz - mi...@mi... 02-6684-8096 or 0414-648-0722 Life is a Mystery to be Lived, not a Problem to be Solved |
