[Za-pm] Re: maintaining state

Dr Giancarlo Contrafatto contrafa at biology.und.ac.za
Mon Sep 15 03:47:32 CDT 2003 

> From: Mark Hewitt <mh2 at isis.co.za>
> To: 'za-pm at mail.pm.org' <za-pm at mail.pm.org>
> Subject: [Za-pm] RE: maintaining state
> Date: 12 Sep 2003 10:40:38 +0200


> 
> Ever tried typing url of the the src="http://www.xx.com/xx.js" tag directly 
> into your browser? You see the source code!!

Yep, sure enough. I wasn't really arguing the point: just that you need
a motivated user to go and do that. Of course, this is not all that
crucial for my site since traffic is low and there is little to gain in
cracking it. ABSA would think differently, no doubt.

> > 
> > A further advantage is that you would not even need to use a formated
> > dbase file such as MySQL. All info can be stored in a flat, text file or
> > within a reasonably hidden Java script. At the moment, for example, I
> > keep logon info for some 100 odd students in a script without apparent
> 
> Remember, if this is as in a file, it cannot be accessed on the server by
> the client, and must be loaded in a javascript and send to the client, or
> loaded
> using a src="xxx.js", which is not secure (see above).
> 
> This means I might be able to access login information for all your
> students,
> and login in as anybody I like.
> 
> 
> Remember, I am not saying here "never do this, its evil!!"
> It is maybe evil, but _everything_ you ever do or consider it dependant on
> _what_
> you are trying to do.
> 
> Sounds like your solutions is working well for you, you've been lucky and
> your
> students have not been up&coming crackers!! However, this may not be an
> advisable solution given a different environment, so I felt I should point
> out
> that while it works, it is not the best solution. 

Hehehe! You're absolutely right there. When I first deployed the script,
as a test, I was expecting that the first thing the users would do,
would be to go look at the script and then login exactly as you say. My
log files, though, don't show many outside IPs accessing those pages at
all (i.e. none in the last two months). Of course, I can't see if IPs
from my institution do this but, what I've realised is that when faced
with rejected logons, students tend to rather bypass the scripted page
and access the document referred by it. I guess, they are just not
enterprising enough and disinterested in being budding crackers.

So, yah .... usually better to do it by CGI in which case, though, it
would be best to construct the page on the fly rather than referring to
an existing document.

Thanks for the chat.

ciao

-- 
if you wish to savour your virtues, commit a sin from time to time. Ugo Ojetti
####################################################################
Dr. Giancarlo Contrafatto
School of Life and environmental Sciences
University of Natal, 4041, Durban, RSA
Tel: +27 031 2603336 contrafa at biology.und.ac.za
####################################################################
visit Darwin at http://contra.biology.und.ac.za/

More information about the Za-pm mailing list