hi
should i validate cookies values?
thanks
--
atte,
Hernán Castelo
SGA - UTN - FRBA
should i validate cookies values?
thanks
--
atte,
Hernán Castelo
SGA - UTN - FRBA
-
-
Re: should i validate cookies values?
On Tue, 13 Jul 2004 14:43:52 -0300, "Hernán Castelo"
<hcastelo@cedi. frba.utn.edu.ar > wrote:
[color=blue]
>should i validate cookies values?[/color]
Absolutely not, otherwise hackers would have a hard time faking them
to break into your site!
In case it's missed, that's sarcasm. Trust but verify.
Jeff
-
Re: should i validate cookies values?
thanks
but
what do you mean
when you say: "trust but verify"?
what is "verify" in this case?
in a newer post
i'm ask if, because the same reason
i need to validate "all " the elements
that i REQUEST at the server side...
(like "Cookies", yes)
and also all the "INPUT" elements
i retrieve with "Request.Fo rm",
being "Text" or "Select" or "Hidden" or whatever
thanks
--
atte,
Hernán Castelo
SGA - UTN - FRBA
"Jeff Cochran" <jeff.nospam@zi na.com> escribió en el mensaje
news:40f54665.1 75612046@msnews .microsoft.com. ..[color=blue]
> On Tue, 13 Jul 2004 14:43:52 -0300, "Hernán Castelo"
> <hcastelo@cedi. frba.utn.edu.ar > wrote:
>[color=green]
> >should i validate cookies values?[/color]
>
> Absolutely not, otherwise hackers would have a hard time faking them
> to break into your site!
>
> In case it's missed, that's sarcasm. Trust but verify.
>
> Jeff[/color]
Comment
-
Re: should i validate cookies values?
On Tue, 13 Jul 2004 17:53:57 -0300, "Hernán Castelo"
<hcastelo@cedi. frba.utn.edu.ar > wrote:
[color=blue]
>thanks
>but
>what do you mean
>when you say: "trust but verify"?
>what is "verify" in this case?[/color]
Apologies, possibly a US only term.
This means no matter how much you trust a source as being valid,
always verify what you get from that source.
[color=blue]
>in a newer post
>i'm ask if, because the same reason
>i need to validate "all " the elements
>that i REQUEST at the server side...
>(like "Cookies", yes)
>and also all the "INPUT" elements
>i retrieve with "Request.Fo rm",
>being "Text" or "Select" or "Hidden" or whatever[/color]
Anything done on the client can be spoofed or faked at the client end
as well. You can never control the client. So you always need to
control what comes back to the server.
I saw one post that said to verify all the elements you're going to
use, but I'd say you should not request anything you wouldn't use.
Verification means simple things as well as complex. Is it a numeric
filed? Then don't accept non-numeric characters. Have they entered
quotes? Then escape them if you're using them in code. Have they
entered 500 characters for a field that only accepts 24? Trim it to
24 or reject it and make them re-enter it. This last should be
checked on the client *and* the server, the client for entry of more
than the limit for the field, and the server for the same thing, since
you can't guarantee the request they sent actually came from your
form, or was manually entered.
Jeff
Comment
-
Re: should i validate cookies values?
wonderful
that is just what i was to know
the validations you are mentioning
are just ones i am going to put
thanks
--
atte,
Hernán Castelo
SGA - UTN - FRBA
"Jeff Cochran" <jeff.nospam@zi na.com> escribió en el mensaje
news:40f53c92.2 030139@msnews.m icrosoft.com...[color=blue]
> On Tue, 13 Jul 2004 17:53:57 -0300, "Hernán Castelo"
> <hcastelo@cedi. frba.utn.edu.ar > wrote:
>[color=green]
> >thanks
> >but
> >what do you mean
> >when you say: "trust but verify"?
> >what is "verify" in this case?[/color]
>
> Apologies, possibly a US only term.
>
> This means no matter how much you trust a source as being valid,
> always verify what you get from that source.
>[color=green]
> >in a newer post
> >i'm ask if, because the same reason
> >i need to validate "all " the elements
> >that i REQUEST at the server side...
> >(like "Cookies", yes)
> >and also all the "INPUT" elements
> >i retrieve with "Request.Fo rm",
> >being "Text" or "Select" or "Hidden" or whatever[/color]
>
> Anything done on the client can be spoofed or faked at the client end
> as well. You can never control the client. So you always need to
> control what comes back to the server.
>
> I saw one post that said to verify all the elements you're going to
> use, but I'd say you should not request anything you wouldn't use.
>
> Verification means simple things as well as complex. Is it a numeric
> filed? Then don't accept non-numeric characters. Have they entered
> quotes? Then escape them if you're using them in code. Have they
> entered 500 characters for a field that only accepts 24? Trim it to
> 24 or reject it and make them re-enter it. This last should be
> checked on the client *and* the server, the client for entry of more
> than the limit for the field, and the server for the same thing, since
> you can't guarantee the request they sent actually came from your
> form, or was manually entered.
>
> Jeff[/color]
Comment
Comment