T
The Natural Philosopher
This probably is NOT a javascript specific question, but I crave
indulgence, as there is a limit to how many groups one can search or
subscribe to..and this one I am sure has the right answer in the heads
of the people here.
I am doing a top level specification of a commercial website, built
arounnd Linux/Mysql/Apache/Php to perform stock control and sales order
processing with of course an online selling part for people to buy online.
I need to maintain states between forms, naturally, and in the past I
have used hidden variables passed around from frame to frame: This works
well enough if the overall administration parts of sch sites are
protected by passwords, as you can't get to the programs except by valid
logins,done wih .htaccess files etc.
However this time I need to maintain a bit more detail with some finer
controls: I need classes of users on the admin side, so I can disallow
access and indeed modify displayed administration menus on at least a
per user basis..and when processing a sales order, view the 'open' part
of the site, I need to maintain a transaction ID..what concerns me is
that this ID or indeed any other hidden variables could be spoofed.
Are cookies uncrackable? If I use cookies to maintain state, how can
they be spoofed? and so on. To issue a random ID is obviously no
problem, but where can it be stored in a users browser so they can't
modify it? Or indeed find out what it is?
I am less concerned about the session ID than possible access to the
administration areas by script kiddies. Once past any password test, the
browser to server link seems utterly insecure.
I am sure that there is a fundamental gap in my understanding of how
this is normally done. I need rapid education. Please!
indulgence, as there is a limit to how many groups one can search or
subscribe to..and this one I am sure has the right answer in the heads
of the people here.
I am doing a top level specification of a commercial website, built
arounnd Linux/Mysql/Apache/Php to perform stock control and sales order
processing with of course an online selling part for people to buy online.
I need to maintain states between forms, naturally, and in the past I
have used hidden variables passed around from frame to frame: This works
well enough if the overall administration parts of sch sites are
protected by passwords, as you can't get to the programs except by valid
logins,done wih .htaccess files etc.
However this time I need to maintain a bit more detail with some finer
controls: I need classes of users on the admin side, so I can disallow
access and indeed modify displayed administration menus on at least a
per user basis..and when processing a sales order, view the 'open' part
of the site, I need to maintain a transaction ID..what concerns me is
that this ID or indeed any other hidden variables could be spoofed.
Are cookies uncrackable? If I use cookies to maintain state, how can
they be spoofed? and so on. To issue a random ID is obviously no
problem, but where can it be stored in a users browser so they can't
modify it? Or indeed find out what it is?
I am less concerned about the session ID than possible access to the
administration areas by script kiddies. Once past any password test, the
browser to server link seems utterly insecure.
I am sure that there is a fundamental gap in my understanding of how
this is normally done. I need rapid education. Please!