Online documentation - Websydian v6.0 |
Users Guide | Patterns Reference | WebsydianExpress | Search |
Introduction Implementing Other Uses Parts Example Background
WSYINTEG
Integrity Control is effectively provided by the patterns of the Websydian Integrity module.
From a web browser, a user can save a local copy of the present HTML page in the browser window. This implies that a user can edit the local copy, change the values in the hidden form fields and then submit the edited page back to the server. By changing one or more hidden fields on a submitted HTML form (e.g. a User ID or Session ID), a web user could in this way try to get the credentials of another web user, and hereby get the possibility to see and edit the data of the other user.
This can be done because the web server software itself does not save information about the values submitted to the user. So protection against tampering must be done by the web application.
Websydian uses Digital Signed Requests to prevent end users from manipulating the hidden fields of forms in an HTML page. For every event on an HTML page, a Digital Signature is generated from the hidden fields in the event, and if the user tries to change one or more of the hidden fields or the signature between two transactions, the signature will not match the hidden fields, and the Websydian application will send an error message back to the user.
The digital signing is performed with the "Message Digest 2" (MD2) algorithm giving a 128 bit sign. So, using the Digital Signature functionality with a key kept secret for the web user, Websydian guarantees a MD2-level of security.
If a higher degree of integrity checking of hidden fields is required, please contact Soft Design. Soft Design will be happy to discuss the requirements and to propose an appropriate solution.
In Websydain 4.0 a bug in the Websydian implementation was fixed. For more information please refer to Technical Bulletin #2.