|
Sunday, 04 June 2006 23:41 |
| In OpenComment, the next commenting system for Joomla based on akocomment, the following functions are NOW running with AJAX.
- Rating comments up and down,
- Deleting comments,
And soon, filtering operations and even publishing new comments.
But
working in computer science do not also mean: ready for
production....because AJAX without taking precautions can be
disastrous....This code is facing some strong securities issues I will
have to solve:
|
- AJAX code is not running in the Joomla
sessions! so I have to re implement some low level operations like
accessing the database (while already done in Joomla)
- Who protect comment against replaying rating up attack? I will introduce a public key per article which has to be submitted to the server, and a private key store in the session, which will be destruct after the first operation.
- How to make sure that the asynchronous operation on a comment is originated from a submitted page of my server?
-> I will introduce a server challenges keys:
a cryptographic fields which is highly depending of the
following: server name, URL, time, and random part. This ticket will
also have a time stamp in it, if you wait more than, lets say 20
minutes, you won't be able to rate or operate on comment. This is
similar with com_hashcash, so nothing really new to me. - Avoid that a rating up operation for a comment A get hacked by injecting new parameters for comment B?
-> Comments will be identified by their UUID (and not a simple ID like in akocomment)
-> Users would have to know it to make an attack on multiple joomla site at the same time.
If You see something else or know a similar code or algorithm in the open source world, contact me or post your remarks below.
|
Anyone has a tutorial for developing ...
what type of antifreeze do i use in m...
css lessons - css scrollbar examples ...
SILLY
Now I can stand at the station watchi...