Goofus and Gallant, Part One

Remember Goofus and Gallant, the kids in the Highlights magazine, that dentist's office staple? Goofus always made the mistakes, Gallant was always perfect. Teaching kids right from wrong.

 

While trying to explain a simple security problem in a web application, I realized a picture book approach might help get the point across.

 

This diagram demonstrates "right way" and a "wrong way" to identify users in a web application.

 

 

Sometimes we get caught up in details – it's nice to turn a thousand words into a picture.

 

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Published Friday, August 31, 2007 6:49 PM by Alex

Comments

# re: Goofus and Gallant, Part One@ Wednesday, June 11, 2008 1:33 PM

I've been notified that this diagram is actually a little confusing. The “certificate” coming from the session store was actually meant to be a representation of a user name, or other form of identity, in the session. The goal was to point out that you shouldn’t accept the user name directly from the user. Instead, you should accept a session identifier, which you correlate with a user ID in the session store.

by Alex

Leave a Comment

(required) 
(required) 
(optional)
(required)