| [reply] |
Thanks a lot for your replies. OK now, here lies the problem. I cant use sessions because I am forbidden to do so due to some reasons. And neither am I too keen on using cookies since there is a chance that some paranoid users may have disabled cookies in their browsers. So that lead me to think that since this involves the click on just one browser back button, would it be safe to go ahead with such an arrangement?
| [reply] |
I think there are two distinct issues here:
1. Is it safe? In other words, does it prevent a malicious user from changing parameters by editing the URL? No, it doesn't. This may not matter to you; a user changing 'choice=1' to 'choice=2' may be no different from if he'd backed up and switched a checkbox. But if he can change something like 'paid=no' to 'paid=yes', that may be a big problem. It depends on the data you're passing through the URL, and what he could affect by editing it.
2. Is it likely to break the functionality? Funny stuff happens with the back button and dynamic pages, depending on server and browser cache settings and other things. You really can't control what happens when they back up, whether their browser fills in the fields as they were before, or whether it submits the same form info that created the previous page, etc. So each step in your process has to be able to handle the fact that the browser could send anything (or nothing) any number of times for that particular step.
Sessions are the way to go, whether your powers-that-be like it or not. If you're concerned that someone will refuse cookies, you can pass a session key in the URL, but still keep your sensitive data on the server end, preventing users from editing the data directly.
Aaron B.
Available for small or large Perl jobs; see my home node.
| [reply]
[d/l]
[select] |
excuses excuses ... would it be safe to go ahead with such an arrangement?
No, it wouldn't be safe, though I admit I'm not entirely sure what arrangement you're referring to
| [reply] |