• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Url hiding

 
annapoorna ch
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am developing a struts application ... in that for security purpose i am not supposed to show the appended parameters in the url ...

How can i hide those parameters

like http://localhost:8080/admin/updateUsr.do?dispmethd=showUpdate&userName=14504

but i have to show only

http://localhost:8080/admin/updateUsr.do

here i do not want to use post method.... can any one give me a suggestion please...
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

here i do not want to use post method

Why not?
 
Jeremiah Orr
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If this decision is in your control (I know sometimes it isn't), then you might want to rethink whether having the parameters in the URL is truly a security concern. By viewing the HTML source (right-click > View Source in Explorer), anyone can see all the parameter names and values (that aren't user-input). Since the browser is sending this information to the server, there is no way around that, via POST or any other mechanism. It takes a tiny bit of extra work, but that is no deterrent to someone with a rudimentary understanding of web technology; anyone who doesn't have this understanding is probably not a security risk anyway.

I've had this argument many times, with mixed results, but I can tell you that having the parameters in the URL is no less secure than any other mechanism of submitting information to a web application. I'd recommend POST whenever you're submitting form data (particularly if passwords are part of it), but for page-to-page navigation, "parameterized URLs" are fine.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34651
365
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeremiah Orr wrote:If this decision is in your control (I know sometimes it isn't), then you might want to rethink whether having the parameters in the URL is truly a security concern.

There is one specific security concern - having the URLs in web access logs. This is only a problem if you are on HTTPS though as for HTTP anyone can see your URLs too.

Most of the time, this is not the concern people are trying to address. If you are trying to hide info from your user, moving info from the URL to the page doesn't help.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic