Keep information on the server regarding which user is authorized to view which files and enforce it there. As you have discovered, you can never trust any data coming from the client -- always validate/authorize on the server.
Its a difficult situation for me as the system has public access.And after login and password user will get access to whole system. But then we dont want that he should able to access images by changing image ids. I tried by opening window by disabling menu bar so user cannot see url but in firefox you can override this option easily. Can there any other way? Also I am opening new windows so I am using "get" method. The moment user session is established he can view images by changing different ids.This will affect the performance of system too since these pdfs are made on the fly. If there is no way then guess I have to suggest the changes in the design of system which will be a long process!
Exactly what happens when a request for an image is made?
Those URLs appear to be addressing a servlet which interprets the imgid and creates a pdf on the fly or serves an existing file. If so then the servlet will always have the session assocated with that user and can determine if access is legal. Bill
Originally posted by NareshA WaswaniA: hi pallavi, use client side scripting language and check if the image id that the user is trying to access...is he allowed for that. if yes allow him to send the request otherwise block the request.
Not a good suggestion. The client-side activity is much too easy to spoof to be relied upon. The check must be made on the server.
Thank you for suggestions. Basically its like public records which we access day today. Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially.Since its not good for security point of view and also increses load on server(pdf generation with images is expensive operation). The database is preexeisting and doesnt have restrictions as such.When user clicks on each "view image" link, I am sending to a jsp(in new browser window) where a new session is created and then send to servlet which access session values and if they are present then generates pdf on the fly.After that I nullify session. But problem is user when get session he types anything on browser window since he is validated and access images. But as Bear has said client side security is no security, I need to discuss with managers to change database and apply security at server side.
Originally posted by Pallavi Srivastava: Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially
It actually sounds like your requirement isn't security, but limiting flow.
You could give the user a token when they get to the form page that is good to view exactly one image. When the form requests an image/PDF, you check the sent token is the same as the one in the session and remove it from the session. This prevents people from circumventing your form.