Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Honza M. <hon...@ec...> - 2003-01-28 23:24:36
|
Sorry for no response. I think the addition AA_CP_Session in cache str2find string could help. On the other hand, you probably know I'm not freind of exporting AA_CP_Session outside of AA Admin interface (referer problem, ...), so I will probably encourage Econnect's administrators to not use this feature on our servers. It doesn't mean I do not want this feature in AA - I just want to mention possible problems in the FAQ - the ussage of such feature is then up to admins. Honza On St, 2003-01-29 at 00:04, Mitra wrote: > Honza - > > I don't see a reply to this ... do you think adding the AA_CP_Session > to the cache string is a good idea? > > - Mitra > > > At 9:34 PM +1100 20/1/03, Mitra wrote: > > Hmmm - > > This is a good point, > > One alternative would be to add the AA_CP_Session to the cache > > string, > > Even if this is not sufficient, this is something we need to do. > > What do you think? > > - Mitra > > At 10:50 AM +0100 20/1/03, Honza Malik wrote: > > > I found another, much more serious problem in this - caching. > > > > > > If I update an item on such page (you can test on FAQ), then new > > > page is > > > generated from database and my AA_CP_Session id is added. BUT, > > > this page > > > is CACHED (internaly in AA for both - slice.php3 as well as for > > > view.php3), so EVERYONE who is going to the page obtain the page > > > from > > > cache WITH MY SESSION ID. > > > > > > I think we really have to remove export AA_CP_Session ids outside > > > of > > > Admin interface. > > > > > > Honza > > > > > > On Ne, 2003-01-12 at 22:11, Mitra wrote: > > > > Its a good point, I was trying to think of security holes in it. > > > > > > > > I think this is a bit of a non-worry for a number of reasons. > > > > 1: Most browsers don't send referer URLs any more - really > > > annoying > > > > when you are trying to track things down. > > > > 2: The hacker would have to be on a site you linked to, and > > > react > > > > within three hours. > > > > > > > > I just don't see this as a big security hole. > > > > > > > > - Mitra > > > > > > > > > > > > At 10:05 PM +0100 12/1/03, Honza Malik wrote: > > > > >On Ne, 2003-01-12 at 02:08, Mitra wrote: > > > > >> The biggest change is that _#EDITITEM should now work in > > > most cases > > > > >> outside of the admin interface, with the user being prompted > > > for a > > > > >> userid/password and then returned back to where they came > > > from. > > > > > > > > > >It's nice. Thanks Mitra. > > > > > > > > > >Just one note: It's not secure to add AA_CP_Session to urls > > > outside of > > > > >AA Admin interface (like in FAQ). If there is any link to any > > > other > > > > >webpage (in FAQ), it is possible to get your session id > > > (AA_CP_Session) > > > > >from 'Referer' field. With this id (or url) you are able to > > > access AA > > > > >admin pages without login (for 3 hours, when session id > > > expires). > > > > > > > > > >I would probably prefer to create the link without the session > > > id (with > > > > >f_e) as default (so users have to log in on every item edit) > > > and then > > > > >maybe create optional f_e for those admins, who knows about > > > this problem > > > > >and don't care. At least we have to mention it in the FAQ. > > > > > > > > > >What you think? > > > > > > > > > > Honza > > > > > > > > > >> - Mitra > > > > >> > > > > >> > > > > >> > > > > >> 01/12/02 - changed site module to go to prior sibling when > > > deleting > > > > >> rather than parent > > > > >> 01/12/02 - added default $item=null to new_unalias_recurent > > > to allow > > > > >> calling from site module without warnings > > > > >> 01/12/02 - fixed adding AA_CP_Session to url in site module > > > AAPage > > > > >> where it is already there. > > > > >> 01/12/02 - changes to allow _#EDITITEM to be used outside of > > > admin interface > > > > >> 01/12/02 - combined several ways of redirecting to a URL > > > into common > > > > >> function go_return_or_url > > > > > > > > > > > > > > > > > > > >------------------------------------------------------- > > > > >This SF.NET email is sponsored by: > > > > >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 > > > See! > > > > >http://www.vasoftware.com > > > > >_______________________________________________ > > > > >Apc-aa-coders mailing list > > > > >Apc...@li... > > > > >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.NET email is sponsored by: FREE SSL Guide from Thawte > > > are you planning your Web Server Security? Click here to get a > > > FREE > > > Thawte SSL guide and find the answers to all your SSL security > > > issues. > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en > > > _______________________________________________ > > > Apc-aa-coders mailing list > > > Apc...@li... > > > https://lists.sourceforge.net/lists/listinfo/apc-aa-coders > > -- > > Mitra Technology Consulting - www.mitra.biz - mi...@mi... > > 02-6684-8096 or 0414-648-0722 > > Life is a Mystery to be Lived, not a Problem to be Solved > > > > -- > Mitra Technology Consulting - www.mitra.biz - mi...@mi... > 02-6684-8096 or 0414-648-0722 > > Life is a Mystery to be Lived, not a Problem to be Solved > |
