tag:blogger.com,1999:blog-6301633.post4329962307642024413..comments2023-08-17T02:38:45.068-05:00Comments on Messages not Models: The cure is worse than the diseasehughwhttp://www.blogger.com/profile/04766131116514643236noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6301633.post-22001610940740200472007-04-11T07:49:00.000-05:002007-04-11T07:49:00.000-05:00> design your app so that each user's info is at a...> design your app so that each user's info is at a unique URL in the first place!<BR/><BR/>This discloses the user-specific token in a variety of ways that aren't usually the case with cookies - e.g. httpd/proxy log files, Referer headers, etc.<BR/><BR/>By all means, use a unique URI for users, but do it <I>in combination</I> with another token like a cookie, not <I>instead of</I> another token.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6301633.post-27565125418339814582007-04-03T20:14:00.000-05:002007-04-03T20:14:00.000-05:00Right -- but the attacker wouldn't know the user s...Right -- but the attacker wouldn't know the user specific URI. The real hole is that the vulnerable sites use a single URL the attacker can know in advance.hughwhttps://www.blogger.com/profile/04766131116514643236noreply@blogger.comtag:blogger.com,1999:blog-6301633.post-29035460730721004982007-04-03T20:10:00.000-05:002007-04-03T20:10:00.000-05:00Even with a user-specific URI, if the client (brow...Even with a user-specific URI, if the client (browser, xmlhttprequest, library, etc) sends along authentication information - either in the form of a cookie or Authentication header - then the data will be retrieved and readable.<BR/>Depending on the client/browser to not allow code from one domain to send messages to a different domain is a tricky thing - there has to be a better way, but I don't know what it is right now. I just hope I can figure it out before it's a problem with the code I've written at my new company.Mike Dierkenhttps://www.blogger.com/profile/02406913273929110651noreply@blogger.com