What if I have the ChangePassword form with the hidden ID field of the user.
BadPerson has the ID of the Good Parson ID that opens the password with Firebug, opens the form, changes its ED to GoodPerson ID, the password changes for the good grinding.
Of course I can make some server arguments that will stop it, but I think that some of this box solution, which throws if the hidden area is changed, which I do not know.
Thanks in advance.
Edit OK, Change Password Edit a bad example where I have an ID in the hidden field.
Nothing which will tell you whether the value of hidden field value has changed or not To change a user's password, it means that it should be certified. When using form authentication, currently authenticated users are stored in an encrypted cookie that can not be modified.
This means that you should not use hidden areas to cache the currently connected user. Simply use the built-in and never store such information in hidden areas. The way ASP.N.T Knows that the value of the cookie has not been tampered with, it indicates it with the specified in configuration.
When working with security, you must follow an important rule. Authentication: Always use the built-in security mechanism, do not roll yourself.
Comments
Post a Comment