sc_redir displaying parameter contents and url

Larryh1115 · May 7, 2020, 8:10pm

Hi -

I have just noticed after using sc_redir for years now acts just like a normal browser GET
ie: If you are running x2 SC applications on x2 separate servers, and in app1 you do an sc_redir(app2,parm1=$parm1,…) the entire url along with parameters and their respective values is disclosed.

In app1 - the value of the parameters being passed in the sc_redir are ‘$’ variables
In app2 (which is a blank type app) - the receiving parameter variables are GLOBAL variables, where the Scope of each Global variable with Session, GET and POST checked, and Type having IN checked

Unfortunately, we were recently made aware that one of the users (not certain which one, and there are literally hundreds) is trying to hack and get the data and url information.
Please please please can someone help me here so that this information is not visible through any tool

Thanks

Larry

FredWalker · May 7, 2020, 9:05pm

It’s possible to encrypt your parameters before passing them to the blank application, that could decrypt these.

You could also store the (eventually encrypted ) parameters you want in a database temporary table ( so they stay on the server ), with the session_id() as primary key, and retrieve it in the blank app that you can then call with no parameters but which will have same session_id() by process ?

Please note that nothing is unbreakable.