AUTHENTICATED_USER insecure. But how insecure?
"SecurityGetUser = Return the current user object. This is normally the same as the REQUEST.AUTHENTICATED_USER object. However, the AUTHENTICATED_USER object is insecure since it can be replaced" This is something that has been confusing me, since it is never explained. How much I should worry about that REQUEST.AUTHENTICATED_USER is changed - and is there much performance downside or something else for using the SecurityGetUser -- which goes all the way back to the Security Manager to get the user. -huima
Hi. On Mon, Mar 04, 2002 at 06:18:17PM +0200, Heimo Laukkanen wrote:
"SecurityGetUser = Return the current user object. This is normally the same as the REQUEST.AUTHENTICATED_USER object. However, the AUTHENTICATED_USER object is insecure since it can be replaced"
This is something that has been confusing me, since it is never explained. How much I should worry about that REQUEST.AUTHENTICATED_USER is changed - and is there much performance downside or something else for using the SecurityGetUser -- which goes all the way back to the Security Manager to get the user.
You should worry, if you run code that you don't know what it does (as DTML Methods from some user on your server e.g.), but it also is better readable (as I think) to use SecurityGetUser.
-huima
Greetings Christian -- Christian Theune - ct@gocept.com gocept gmbh & co.kg - schalaunische strasse 6 - 06366 koethen/anhalt tel.+49 3496 3099112 - fax.+49 3496 3099118 mob. - 0178 48 33 981 reduce(lambda x,y:x+y,[chr(ord(x)^42) for x in 'zS^BED\nX_FOY\x0b'])
participants (2)
-
Christian Theune -
Heimo Laukkanen