views:

40

answers:

4

So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to

www.domain.com/member/change/member_id

member changed the values and post the data to another page by changing the action with firebug or something else. For instance

www.domain.com/member/change/member_id_2

How do you handle this problem without using sessions?

A: 

This problem arises when there are no server side validations!

So, the solution is to have server side validations.

Mahesh Velaga
A: 

Why not use Session state? It's designed for that.

Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.

Wim Hollebrandse
A: 

How do you handle members without session? Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.

Maerlyn
A: 

You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.

Dominik