Online documentation - Websydian v6.0

Users Guide | Patterns Reference | WebsydianExpress | Search

 

The Integrity Module

Library

WSYINTEG

Main Patterns

EventHandlerWithSignature

PageGeneratorWithSignature

Introduction to the Integrity Module

Integrity Control is effectively provided by the patterns of the Websydian Integrity module.

Protecting against Tampering

From a web browser, a user can save a local copy of the present HTML page in the browser window.  This implies that a user can edit the local copy, change the values in the hidden form fields and then submit the edited page back to the server.  By changing one or more hidden fields on a submitted HTML form (e.g. a User ID or Session ID), a web user could in this way try to get the credentials of another web user, and hereby get the possibility to see and edit the data of the other user.

This can be done because the web server software itself does not save information about the values submitted to the user.  So protection against tampering must be done by the web application.

Digital Signed Requests

Websydian uses Digital Signed Requests to prevent end users from manipulating the hidden fields of forms in an HTML page.  For every event on an HTML page, a Digital Signature is generated from the hidden fields in the event, and if the user tries to change one or more of the hidden fields or the signature between two transactions, the signature will not match the hidden fields, and the Websydian application will send an error message back to the user.

Using the "Message Digest 2" (MD2) Algorithm

The digital signing is performed with the "Message Digest 2" (MD2) algorithm giving a 128 bit sign.  So, using the Digital Signature functionality with a key kept secret for the web user, Websydian guarantees a MD2-level of security.

If a higher degree of integrity checking of hidden fields is required, please contact Soft Design.  Soft Design will be happy to discuss the requirements and to propose an appropriate solution.

MD2 Update

In Websydain 4.0 a bug in the Websydian implementation was fixed. For more information please refer to Technical Bulletin #2.