Hi Andru,
Anyone who is slightly tech savvy just use their webkit/firebug to track the request, or a program like Charles which monitors network activity.
That's why you need authentication and authorization handling machanism on server side code.
Authentication is typically handled by a username and password; it is the act of verifying a user is who he is.
Authorization can be handled by Roles on the server, and is the check to make sure the user can do what they are trying to do.
Which those two mechanisms in place, even if a user knows a url, they still need to "log-in" and have permission to do what they want to do.
In critical situations, you can never rely entirely on what you receive from your clients.
For instance, if you're adding product to your shopping cart, pass only the ID of the item, and the quantity, to your server. Do not fetch price details from your client, but from your database. If some one tries to hack you and edits the item ID or quantity being sent, the worst thing that happens is that they end up buying something they didn't want; entirely their problem. (But for the very same reasons, if it's a limited offer, you would need to verify that the quantity you receive is not greater than what you allow any one customer to buy, for instance).
Posted On:
20-Jul-2015 04:32