[Zope] URLs expose information which we'd like to hide
Jim Kutter
jim at ebizq.net
Wed Feb 4 12:36:21 EST 2004
What about using the session machinery?
-jim
-----Original Message-----
From: Dennis Allison [mailto:allison at sumeru.stanford.EDU]
Sent: Wednesday, February 04, 2004 11:10 AM
To: zope at zope.org
Subject: [Zope] URLs expose information which we'd like to hide
The parameters passed by GET and, to a lesser extent, the URLs
themselves,
represent a security issue in one of our systems.
One solution, which we tied and have had to back-off from, is to
configure
the browser window to simply not display the URL and Status lines. The
problem there is that the pop-up blockers (now becoming common)
interfere.
Another, no longer available )-: , would be to exploit the URL hack that
MS has just release an IE patch to fix.
A partial solution would be to make POST not GET the standard for
parameter transmital. Has anyone tried this? I suspect there are all
sorts of hidden gotchas.
Suggestions?
_______________________________________________
Zope maillist - Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list