[Catalyst] Re: fine Authentication

Jürgen Peters taulmarill at xgn.de
Thu Aug 4 17:42:44 CEST 2005


On Thu, 4 Aug 2005 18:14:14 +0300, Vlad Bazon wrote
> Of course! You are always right ...
> 
> On the other hand, in order to avoid to <manually> modify the data of
> a other user - a solution could be the (banal) extension of the
> controller code with:
> 
> sub do_edit {
>     my ( $self, $c ) = @_;
>     # the "extension" for prevent GET ("manually") requests
>     if ($c->req->method eq "GET") {
>           $c->req->action(undef);
>           $c->stash->{message}="aaa"; # You must not modify the 
> others' data!          return $c->forward('/login/login');   } .....
> 
> Am I wrong?

yes, you are. many users are able to save and edit the html page to fake a
POST request. and thats just the trivial way. being a programmer, i could
always write a perlscript which pretends to be a browser doing a POST request.
and that's not hard to do either, even for script kiddies.
just use serious authentication which requires some hard guessable information
from the user. everything else is rubbish.
___
Jürgen



More information about the Catalyst mailing list