Are you talking about the conversation id?
Yes, I'm...please help me if you can.
You can create a custom conversation id generator for any conversation id strategy you like.
Yes, but I need exactly change this:
It means to delete ?cid=7
I'm trying with URLRewriter 2.6 because I'm using Seam 2.0.0.GA I can not use <rewrite pattern...> in pages.xml and this comes with the 2.1.
Do you know how make it with <outbound-rule> tag ?
If you delete the cid your conversations will not work correctly. Why does it need to be hidden? It is not possible for a user to change the cid and end up in another users conversation, as they are session scoped. If you are not worried about this then what is the issue?
But that is a completely different reason... not security related (ok... could lead to a DOS, but that is a different thing)
I think you need to figure out what exactly you are trying to accomplish and then re-ask the question.
Pretty similar problem, though, not with cid. It's with any param? Example: when I log to my seam app I get to the page for Distributor ... and URL is:
if I just change that 3, into 2 (distributorId) ... i am watching at at data of the distributor with id 2. A major no-no!
I am new to all this, new at forum, lost 2 days on this what I think is rather trivial situation, played my self (don't laugh) with url rewrite all day long ... fuming frustrated... just can't solve this. :(
How do I hide those param values? How to hide that distributorId?
Thank you in advance. Best regards,
Hey, Have you found out a solution to this yet? I have the same issue.
From whom do you want to hide the parameters from?
- if from anyone snooping the traffic, then use SSL
- if from the user (i.e. you don't want it to be part of the URL but sent via a HTTP POST), it has zero security value.
If you want to prevent the user of accessing other data (i.e. you want to have instance-level authorization), you need to design your back-end to enforce that and not rely on
hidingthe parameter. Even if you encrypt it, this is still vulnerable to capture-and-replay attacks. It sounds like you need to read more on application security, start with OWASP.