[thelist] 403 or 404?
Ken Moore
psm2713 at hotmail.com
Wed Jun 6 08:49:44 CDT 2007
Hi all,
IMHO, you should not tell interlopers any more than they need to know. If
you give detailed error messages each time someone tries to crack your
security, they gain that much knowledge each time.
Everyone with access knows it already. As for everyone else, keep them in
the dark.
Ken
Bill Moseley wrote:
>
>Say I have a web application where someone must be logged in.
>To view an object a user makes a request like:
>
> /object/21
>
>where 21 is the primary key in the object table. If the user *owns*
>object 21 they can view it. If the user does not own the object do
>they get 403 or 404? Kind of seems like a 403.
>
>What if the request is for an id that doesn't exist? Does that make a
>difference?
>
> /object/393928128
>
>I'm thinking 404 in both cases (which I guess is withing the spec).
>
>Would you handle things differently if the object id was
>part of a query string?
>
> /object?id=21
>
>Or in a hidden field in a posted form?
>
>
>--
>Bill Moseley
>moseley at hank.org
_________________________________________________________________
PC Magazines 2007 editors choice for best Web mailaward-winning Windows
Live Hotmail.
http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_pcmag_0507
More information about the thelist
mailing list