#1 2022-10-28 07:55:25

htits2008
Member
Registered: 2015-03-25
Posts: 34

How to prevent intermediaries from repeatedly obtaining server data?

Today I found a problem. In the JS client, after logging in to the server, execute the remote service to get the data. When we use F12 to debug the browsing page, the URL of the last data retrieval will be displayed in the network tag. If I copy this URL, I can open it in other browsers or computers and get data. Is this a disguised way to skip security verification? After I log out, the above URL will no longer be valid. I wonder if there are properties on the server side that can be used for time comparison between two ends? Or  The session_signature can only be used once on the server side? My usage environment is window, M2

http://127.0.0.1:19217/orp/orp_FTS.whereQuery?aTypeTable=orp_rs_dzwj&aWhere=%20where%20NianDu%3D%221989%22&aPage=1&aPageLine=30&session_signature=000f52f8001d8f15d8a3c4db

Offline

#2 2022-10-28 09:44:56

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: How to prevent intermediaries from repeatedly obtaining server data?

This is as expected, and required - since the browser could need a new connection on the next call.

Two advices:
1) always use TLS i.e. https:// if you can
2) use a POST instead of a GET.

Offline

Board footer

Powered by FluxBB