Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Mitra <mi...@mi...> - 2003-01-28 23:10:12
|
Honza - I don't see a reply to this ... do you think adding the AA_CP_Session to the cache string is a good idea? - Mitra At 9:34 PM +1100 20/1/03, Mitra wrote: >Hmmm - > >This is a good point, > >One alternative would be to add the AA_CP_Session to the cache string, > >Even if this is not sufficient, this is something we need to do. > >What do you think? > >- Mitra > > >At 10:50 AM +0100 20/1/03, Honza Malik wrote: >>I found another, much more serious problem in this - caching. >> >>If I update an item on such page (you can test on FAQ), then new page is >>generated from database and my AA_CP_Session id is added. BUT, this page >>is CACHED (internaly in AA for both - slice.php3 as well as for >>view.php3), so EVERYONE who is going to the page obtain the page from >>cache WITH MY SESSION ID. >> >>I think we really have to remove export AA_CP_Session ids outside of >>Admin interface. >> >> Honza >> >>On Ne, 2003-01-12 at 22:11, Mitra wrote: >>> Its a good point, I was trying to think of security holes in it. >>> >>> I think this is a bit of a non-worry for a number of reasons. >>> 1: Most browsers don't send referer URLs any more - really annoying >>> when you are trying to track things down. >>> 2: The hacker would have to be on a site you linked to, and react >>> within three hours. >>> >>> I just don't see this as a big security hole. >>> >>> - Mitra >>> >>> >>> At 10:05 PM +0100 12/1/03, Honza Malik wrote: >>> >On Ne, 2003-01-12 at 02:08, Mitra wrote: >>> >> The biggest change is that _#EDITITEM should now work in most cases >>> >> outside of the admin interface, with the user being prompted for a >>> >> userid/password and then returned back to where they came from. >>> > >>> >It's nice. Thanks Mitra. >>> > >>> >Just one note: It's not secure to add AA_CP_Session to urls outside of >>> >AA Admin interface (like in FAQ). If there is any link to any other >>> >webpage (in FAQ), it is possible to get your session id (AA_CP_Session) >>> >from 'Referer' field. With this id (or url) you are able to access AA >>> >admin pages without login (for 3 hours, when session id expires). >>> > >>> >I would probably prefer to create the link without the session id (with >>> >f_e) as default (so users have to log in on every item edit) and then >>> >maybe create optional f_e for those admins, who knows about this problem >> > >and don't care. At least we have to mention it in the FAQ. >> > > >> > >What you think? >> > > >> > > Honza >> > > >> > >> - Mitra >> > >> >> > >> >>> >> >>> >> 01/12/02 - changed site module to go to prior sibling when deleting >>> >> rather than parent >>> >> 01/12/02 - added default $item=null to new_unalias_recurent to allow >>> >> calling from site module without warnings >>> >> 01/12/02 - fixed adding AA_CP_Session to url in site module AAPage >>> >> where it is already there. >>> >> 01/12/02 - changes to allow _#EDITITEM to be used outside of >>>admin interface >>> >> 01/12/02 - combined several ways of redirecting to a URL into common >>> >> function go_return_or_url >>> > >>> > >> > > >> > >------------------------------------------------------- >> > >This SF.NET email is sponsored by: >> > >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! >> > >http://www.vasoftware.com >>> >_______________________________________________ >>> >Apc-aa-coders mailing list >>> >Apc...@li... >>> >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders >>> >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: FREE SSL Guide from Thawte >>are you planning your Web Server Security? Click here to get a FREE >>Thawte SSL guide and find the answers to all your SSL security issues. >>http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en >>_______________________________________________ >>Apc-aa-coders mailing list >>Apc...@li... >>https://lists.sourceforge.net/lists/listinfo/apc-aa-coders > > >-- >Mitra Technology Consulting - www.mitra.biz - mi...@mi... >02-6684-8096 or 0414-648-0722 > >Life is a Mystery to be Lived, not a Problem to be Solved -- Mitra Technology Consulting - www.mitra.biz - mi...@mi... 02-6684-8096 or 0414-648-0722 Life is a Mystery to be Lived, not a Problem to be Solved |
