On Sun, 26 Aug 2001 19:10:59 +0200 (CEST) you wrote:
When I think of how to prevent this, use of the "Referer" header jumps out, but I don't send it from some of my browsers. Not so easy. Because, I often may want to call "manage_XXX" from somewhere different from "manage_XXXForm"....
I suspect that you probably *usually* call it from the same folder or something "nearby" (not from a subfolder of the folder's parent...). At the very least, you call it from a "page" that you own (or a page generated by an object you own, etc.).
Other possibilities include use of cookies, but I don't even like the current dependency on them. Would it help?
A cookie could be generated when visiting a management page. That cookie would be required for management actions on that page.
You would attack only when the necessary cookie is there.
You could play with expiration times to get it to help a little bit, but I don't see it as a "solution" and it's *way* too messy for me to be interested in pursuing.
Any clever thoughts? Attack this problem by non-technical means.
Yup. I'm all for leaving policy enforcement to people. I just want to be sure that I'm taking "reasonable" steps to prevent chaos.
They are your authors, aren't they?
Have you worked with students recently? Thank you. --kyler