sean at monkeysnatchbanana.com
Sun May 3 01:32:27 UTC 2009
On May 2, 2009, at 5:22 PM, Ross Boylan wrote:
> I understand I can write my app to only show the right things; can a
> determined client get around that?
any security system can be subverted.
i used to make money show people who an authorized user could get
more than the access they were supposed to. there are so many ways
that to attack, you just have to make sure you keep everything secure.
i've seen systems where only certain parts actually verified you had
and others ( messaging ) didnt bother. once you understand the messaging
pattern, you could read other people's mail.
i've seen systems that were plenty secure except oops they only required
a cookie token after login, one that was easily intercepted and copied.
if you have to have a secure app and you don't really know web app
find someone who does and work with them.
More information about the seaside