开发者

Which way of param passing is more secure: URL, hidden fields or cookies?

I'm using intraweb a开发者_如何学编程nd it gives me 3 options for passing parameters.

  1. Using a ?param in the url
  2. Using hidden fields
  3. Using cookies

As far as my code is concerned which option I choose doesn't really matter, the framework abstracts me from that.

But, which one is more secure against tampering by the user?


Passing data in URL parameters risks exceeding the length limit on URLs and can interfere (or be a feature!) with bookmarks. Passing as cookies risks the user having turned cookies off (or the client not supporting cookies). Passing as hidden fields is the most portable.

None of the methods in themselves provide any level of security.

EDIT: One suggestion in the excellent article that lance pointed to is to store your sensitive data on the server and only transmit a cookie to the client. This is a different use of the term cookie and should more properly be called a session id, which can be transmitted back and forth between the server and client using any of the three methods you are considering.


They are all easily duplicated / modified using freely available tools, so I would say use whichever suits your application the best - they are equivalent in terms of security, none of them should be trusted.

Consider using a crypto hash issued by the server-side to prevent tampering whichever option you go for.


From the security point of view, all of them should be treated the same on the server. Just because a variable is passed through pigeon transfer instead of GET, that doesn't mean it's safe. It's still coming from the evil user.

So make sure you use the exact same safety mechanisms for all of them.


None of them are secure (though it's not clear what kind of security you mean exactly).

One obvious difference of course is that url params are always visible - if a user creates a bookmark or sends an URL to somebody, the parameter goes with it.


To what is already said I would like to add that when You have params in url it let's user create bookmarks - http://bikes.com/catalog.aspx?category=downill [not real address]. So that may be better in some cases then the other two options.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜