Well... i need to ask you something!!. I'm not having a bug... nor an exception. I need to know the following:

i'm developing a web application with WebWork & Hibernate (3.0.2) for an university project. Suppose you have Cat objects, with ID and Name. When your user wants to modify a Cat, well, you search the cat by its ID and retrieve it on screen. But...

where do you maintain the ID of the cat that's being updated ??. It's obviously NOT secure to store it as hidden inside the update form... how should i handle it ?? create an hibernate Session per user, and store it in the JSP session ??. How would you solve it ?

THANKS for your time!!!!!


Jorge L. Perez

not secure to show it...why...
because someone can put in a different id, and send it back to the server...and hence try and update something that they don't have rights to.

I would make sure it's secure...by storing the user in the session, and then checking that the user has rights to modify the object that they are trying to modify on the server.

exactly. Not secure because an user can change the ID and... update objects that isn't supposed to touch.

Ok... one solution is that one... check if he has permission to change that. But... isn't it easier to keep the ID on server side ??. You work like this, checking before-saving ?

Thanks!!

Hiding the ID from the user won't prevent him from guessing an ID and updating it anyway. If your app relies on hidden information for its security, it's not secure.

+1

There are many products out there that let users hack into the http request/response data and do all kinds of things to it. The only way to truly secure your system is to verify the user is who he says he is (authenticate), and then use role-based or business-rule-based logic to determine whether the user actually has the authority to do what he's requesting to do (authorize).

There are also ways of creating tokens such that if the user modifies request params, one can find out.

Anyway, you'd get more detailed info on this on a Struts type of forum.

hey... that's a really good idea.....

>> Send the ID of the object being modified... plus...
>> Add a hash, obtained from Object ID + Internal user ID

And... when saving the changes... just check if i get the same hash code.

I know, if someone knows that's the algorythm... i'm dead. But it can work!!!

Thanks, thanks!!