POST without submit

freecrm

freecrm

New Member
Messages
629
Reaction score
0
Points
0
marshian said:
If you manage to find out the ID of another session, it's very easy to edit your cookie and make the server beleive you are the user which has that specific session assigned. But if you manage to do that, you cannot access the session directly, I mean it's impossible for the user to see the actual session data. That person can only see webpages that were intended for somebody else. So when you make a site, don't just show all info you have on that person. Just require them to enter their password again for each page which has (for example) the ability to change their password, their personal contact information, ...
Click to expand...

Let me get this straight.

I have a php login system using the standard Dreamweaver wizard (with an additional variable).

The site I have is a CRM system so there is lots of sensitive data that may be viewable if someone could hack into a session.

If what you are saying is correct, a hacker could potentially see all records that the normal session user could see - aaarrrgghhh!

I don't particularly want a standard user to re-enter his password on every page.

I also use a workgroup id, which is stored as a session variable and only contact records with that workgroup id can be viewed by users with the same workgroup id - is this too at risk?

I'm not very familiar with cookies but I haven't designed the site to use cookies. If you use sessions, does that automatically write cookies in the temp internet files?
 
marshian

marshian

New Member
Messages
526
Reaction score
9
Points
0
Are you sure about that? Most people are able to find out the url of a frame... just right-click it and select something with info :p
And the hidden-form-thingie has already been suggested, but I'ld not recommend this, as the user must have enabled javascript in order for the link to work, or else we're using buttons again.
 
M

matt88e

New Member
Messages
13
Reaction score
0
Points
0
User Javascript to do this

<a href="javascript:document.formnamehere.submit()">CLICK HERE</a>
or


< href="javascript:FUNCTIONNAME()">CLICK HERE</a>


A function in a JS file can be changed to do whatever you want. Submit info, use as a special link system like i use it in. Here is the link to a Javascript site sorta that has ideas you might like

http://www.javascript-coder.com/javascript-form/javascript-form-submit-example.html

I use the Java Submit button on one of my pages previously as a sign up submit button, but forum had to be filed out before submit button was show up anywhere on the page i wanted it to. with Javascript submit button can be anywhere you place it at. Doesnt have to be within the Form section
 
marshian

marshian

New Member
Messages
526
Reaction score
9
Points
0
matt88e said:
User Javascript to do this

<a href="javascript:document.formnamehere.submit()">CLICK HERE</a>
or


< href="javascript:FUNCTIONNAME()">CLICK HERE</a>


A function in a JS file can be changed to do whatever you want. Submit info, use as a special link system like i use it in. Here is the link to a Javascript site sorta that has ideas you might like

http://www.javascript-coder.com/javascript-form/javascript-form-submit-example.html

I use the Java Submit button on one of my pages previously as a sign up submit button, but forum had to be filed out before submit button was show up anywhere on the page i wanted it to. with Javascript submit button can be anywhere you place it at. Doesnt have to be within the Form section
Click to expand...

Please read the whole topic before posting... This is one of the first suggestions made, and it has already been suggested again 2 posts higher!
 
You must log in or register to reply here.
Top