Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.help > #2713

Re: Preventing Typed URLs From Being Used

From Daniel Pitts <newsgroup.nospam@virtualinfinity.net>
Newsgroups comp.lang.java.help
Subject Re: Preventing Typed URLs From Being Used
References <kmecaj$n92$1@dont-email.me> <CMyit.1705$mC6.475@newsfe15.iad> <kmedds$u7c$1@dont-email.me>
Message-ID <4QOit.20$In7.14@newsfe13.iad> (permalink)
Date 2013-05-09 07:58 -0700

Show all headers | View raw

On 5/8/13 1:47 PM, Steve wrote:
> On Wednesday May 08 4:42 PM, Daniel Pitts wrote:
>> Yes, it solves nothing, it break tabbed browsing, and leads to other
>> poor user experience.
>
> What other "poor user experience"(s)?
Well, for one thing if the user has cookies disabled, your site no 
longer works, period.

Also, bookmarks will fail.  Oh, and by the way, the user might be coming 
to your site from somewhere else.

> How would it break tabbed browsing?
Cookies being set are shared across browser tabs. If the user reloads a 
page in a different tab, then that request will have the wrong cookie 
value and be denied.


I really do suggesting digging deeper and asking *why* your boss wants 
this. After 8 years professional software development experience, I can 
almost smell the misconceptions your boss has about security.

Users *are* able to enter URLs, fake cookies, POST arbitrary data, even 
fake HTTP headers. You shouldn't even try to stop them. Just expect it. 
Most of the time, you don't care and shouldn't care.

Sometimes there is data surfaced on your site which must remain secure. 
  In those times, you should use https *and* authentication *and* 
authorization checking.

The alternative to https/authentication/authorization is an insecure 
site.  If you miss any *one* of those, your site isn't secure.

There is no ifs, ands, or buts.

(Okay, so there are other secure transports other than https, but most 
of those aren't used in browsers)

Back to comp.lang.java.help | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

Preventing Typed URLs From Being Used Steve <tinker123@gmail.com> - 2013-05-08 16:28 -0400
  Re: Preventing Typed URLs From Being Used Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-05-08 13:42 -0700
    Re: Preventing Typed URLs From Being Used Steve <tinker123@gmail.com> - 2013-05-08 16:47 -0400
      Re: Preventing Typed URLs From Being Used Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-05-09 07:58 -0700

csiph-web