Many applications involve passing state between pages or (RPC) requests. A developer needs to be aware when state is passed in such a way that the client can see or modify it (eg. URL variables, cookies, REST parameters) and take proper precautions to prevent leakage of data or unauthorized access to a website or system.
WebHare offers some APIs to help encrypt these values when they are passed 'through' a client but even with encryption you should be careful of 'replay' attacks where the client reuses an encrypted value without having to actually understand it - you might not be able to read the session cookie you stole from a sysop, but it may still provide you with the same access if you can use it.
Cookies and (URL) variables
You can ask UpdateWebCookie for an encrypted cookie (which can be read using %GetDecryptedWebCookie) but you will still need to be careful about replay attacks by whoever holds their value.
- Do not consider a WRD_GUID by itself to be proof of anything - they are too easily leaked. If you need a secure way to identify a WRD entity, encrypt the guid
- Scopes for %EncryptForThisServer must be unique for each different use, attackers may try to inject an encrypted token into a different scope to see if anything can be learned from it.
- Do not worry about variable being passed between screens inside a Tollium application - unlike RPC calls, data passed in function calls inside a tollium (eg the data passed to a LoadScreen/RunScreen) is not available to a client.