I notice this recently when we start creating the security component of a project. The best way to explain the issue is to give an example:
Imagine that in your application you create an action “edit profile” where each user can change his personal details for the account. If course there will be fields for changing user’s real name, password, email etc., but the username field should be readonly.
The direct approach to create such page is to reuse “edit” action of the user’s controller, but instead of getting the ID from the url, it need to be fetched from the session’s auth variable. The second thing which you have to do is to remove “username” field from the view and you are done. 🙂 Well, fast and easy, but not very secured… Continue reading →
I’ve been registered in TLA site long time ago. Since I start this Blog I put their ad here, but this was till now.
I really want to know I am the only person knowing my password, but unfortunately it’s not this way at least in TLA. Recently I wanted to login into my account at text-link-ads.com, but I had forgotten my password and I requested a new one with “Forgot password” feature from their site. I was really surprised, that instead a temporary string for new password, or activation link which will give me access to change my password, I received my password as plain text in my e-mail. Continue reading →