Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
None
-
None
Description
it is too easy for users to fake sid, userid etc parameters in URL requests, if they want to cheat the system.
proposal:
- simplify the javascript code which extracts user_id or sess_id from cookies and sends it in GET params
- fix the "execute" view to access cookie values instead of GET params, and do the logic in there