Free Republic
Browse · Search 		Bloggers & Personal
Topics · Post Article

To: Lazamataz

People don’t understand. Even IF (big if) software could be written, developed and implemented to allow FReepers only to view...

I’ll go even further.... Even IF (big if) software could be written, developed and implemented to allow ONE THIRD OF ALL FReepers only to view...

This place will be a parking lot tomorrow night.

(IMHO)


42 posted on 11/05/2012 6:15:30 AM PST by Responsibility2nd (NO LIBS. This Means Liberals and (L)libertarians! Same Thing. NO LIBS!!)
[ Post Reply | Private Reply | To 28 | View Replies ]

To: Responsibility2nd

It doesn’t require new software to be written. I write .net software applications and .aspx and the implentation of what this post was asking is does NOT require a major undertaking; in fact, it’s very easy to do.


49 posted on 11/05/2012 6:24:10 AM PST by Arcy (When the righteous are in authority, the people rejoice; But when a wicked man rules, people groan.)
[ Post Reply | Private Reply | To 42 | View Replies ]
To: Responsibility2nd; Arcy; BuckeyeTexan
Actually, on the walk over to work (yes, I live THAT close to work), I realized I spoke w/o coffee.

The authentication layer is already written. It's the login and cookie structure JohnRob already has in play. What we would do is the AUTHORIZATION layer, which is a lot easier if all you are doing is granting access to pages. I've never 'had it that easy', I've always had to have RBAC (Rules-Based Access Control) down to the control- and menu-item level.

I won't claim it to be a five-minute fix, but it is a lot easier than it first struck me.

By the way, during my thinkwalk, I actually thought of a series of security holes that I bet JohnRob didn't think to plug, based on his authentication method. If he's not using SessionID on every page, he's vulnerable to a variety of spoofs and CSRF 'confused teller' attacks. Not a big deal, because the attacker would need to know A) which internet user was logged into FR to begin with, and B) the payoff is small, unless they happen to luck upon the session with Admin Mod, JimRob or JohnRob. So what if they hijack Laz's screen name, for example. All that would happen is Laz might not hit it for one day.

61 posted on 11/05/2012 6:46:03 AM PST by Lazamataz (The Pravda Press has gone from 'biased' straight on through to 'utterly bizarre'.)
[ Post Reply | Private Reply | To 42 | View Replies ]
To: Responsibility2nd; Arcy; BuckeyeTexan
Actually, on the walk over to work (yes, I live THAT close to work), I realized I spoke w/o coffee.

The authentication layer is already written. It's the login and cookie structure JohnRob already has in play. What we would do is the AUTHORIZATION layer, which is a lot easier if all you are doing is granting access to pages. I've never 'had it that easy', I've always had to have RBAC (Rules-Based Access Control) down to the control- and menu-item level.

I won't claim it to be a five-minute fix, but it is a lot easier than it first struck me.

By the way, during my thinkwalk, I actually thought of a series of security holes that I bet JohnRob didn't think to plug, based on his authentication method. If he's not using SessionID on every page, he's vulnerable to a variety of spoofs and CSRF 'confused teller' attacks. Not a big deal, because the attacker would need to know A) which internet user was logged into FR to begin with, and B) the payoff is small, unless they happen to luck upon the session with Admin Mod, JimRob or JohnRob. So what if they hijack Laz's screen name, for example. All that would happen is Laz might not hit it for one day.

62 posted on 11/05/2012 6:47:10 AM PST by Lazamataz (The Pravda Press has gone from 'biased' straight on through to 'utterly bizarre'.)
[ Post Reply | Private Reply | To 42 | View Replies ]

Free Republic
Browse · Search 		Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson