Re: Preventing Typed URLs From Being Used
On 5/8/13 1:47 PM, Steve wrote:
On Wednesday May 08 4:42 PM, Daniel Pitts wrote:
Yes, it solves nothing, it break tabbed browsing, and leads to other
poor user experience.
What other "poor user experience"(s)?
Well, for one thing if the user has cookies disabled, your site no
longer works, period.
Also, bookmarks will fail. Oh, and by the way, the user might be coming
to your site from somewhere else.
How would it break tabbed browsing?
Cookies being set are shared across browser tabs. If the user reloads a
page in a different tab, then that request will have the wrong cookie
value and be denied.
I really do suggesting digging deeper and asking *why* your boss wants
this. After 8 years professional software development experience, I can
almost smell the misconceptions your boss has about security.
Users *are* able to enter URLs, fake cookies, POST arbitrary data, even
fake HTTP headers. You shouldn't even try to stop them. Just expect it.
Most of the time, you don't care and shouldn't care.
Sometimes there is data surfaced on your site which must remain secure.
In those times, you should use https *and* authentication *and*
authorization checking.
The alternative to https/authentication/authorization is an insecure
site. If you miss any *one* of those, your site isn't secure.
There is no ifs, ands, or buts.
(Okay, so there are other secure transports other than https, but most
of those aren't used in browsers)