[FX.php List] Obscuring the recid on URL links

Jonathan Schwartz jonathan at eschwartz.com
Tue Aug 29 13:45:33 MDT 2006 

Gjermund and List,

I've managed to confuse folks on this subject.  Perhaps it is because 
in my present project there are two different modes of accessing 
records, User and Admin, and they have different needs.  Whether it 
is this project or the next, the nature of my inquiry applies to all 
projects, so I think that it would be worthwhile to me and others to 
take it from the top.

The basic question is how and when to obscure sensitive data from the 
end user that could compromise security.

Mode 1: End User.
The End User logs in with user name and password.  If successful, he 
is able to view and edit only his own record.  In this mode, the 
recid saved in a session variable is used to move the user from page 
to page .  The recid is never exposed on the URL or from buttons or 
links.  No problem here.

Mode 2: Admin
The Admin logs in with user name and password.  If successful, he is 
able to view and edit ALL user records, which will appear in a list. 
A link will appear on each line (detail.php?recid=123456) to allow 
the Admin user to view/edit a the single record selected.  It is at 
this point that I posed my original question about how not to have 
the recid be exposed on the URL line.  The solution that was offered 
and accepted was to use a made-up record id comprised of 20 
characters...enough that a casual(?)  hacker would not be tempted to 
view unauthorized records by simply incrementing the real recid in 
the URL.

Now...having written this out, you might be asking....as I am also 
asking myself right now...In Mode 2, where the user is an Admin and 
able to view all records anyway, then what is the need to obscure the 
recid in the first place?

Honestly, I'm not sure now.  It seemed like a good idea at the time.

So...maybe it is I that is confused. ;-)

Jonathan





At 3:03 PM +0200 8/29/06, Gjermund Gusland Thorsen wrote:
>Please do not defend your solutions, I'm not nitpicky, I'm just trying
>to understand _WHY_ you do it the way you do it.
>
>And the option to garbling the recid, I believe, is to have a login
>system with an if statement to check which login is allowed to see
>which recid.
>
>ggt667
>
>
>On 8/28/06, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
>>No, it's probably me that is dense. ;-)
>>
>>In my case, I do  use session variables. However, setting a session
>>variable with the recid when a user selects a single record from a
>>list of records... while keeping the recid invisible (in the URL and
>>Source code)... is not in my bag of tricks yet.
>>
>>Once again, the application here is in selecting a single record from
>>a list of records.
>>
>>Would love to hear a better method.
>>
>>Jonathan
>>
>>At 8:17 AM -0500 8/28/06, Tom Sepper wrote:
>>>Maybe I'm being dense here, but why is it imperative that the recid be
>>>in the URL?
>>>
>>>In my solution that I'm currently developing, I've simply put the recid
>>>in a session variable and use the session id in the URL. I'm then just
>>>simply validating recids before accessing or modifying data.
>>>
>>>
>>>---
>>>Tom Sepper
>>>Director of Information Technology
>>>Director's Choice Tour & Travel
>>>
>>>P 806.762.6354
>>>F 806.763.7637
>>>
>>>tsepper at dctandt.com
>>>www.directorschoicetourandtravel.com
>>>_______________________________________________
>>>FX.php_List mailing list
>>>FX.php_List at mail.iviking.org
>>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>--
>>
>>Jonathan Schwartz
>>FileMaker 8 Certified  Developer
>>Associate Member, FileMaker Solutions Alliance
>>Schwartz & Company
>>jonathan at eschwartz.com
>>http://www.eschwartz.com
>>http://www.exit445.com
>>
>>_______________________________________________
>>FX.php_List mailing list
>>FX.php_List at mail.iviking.org
>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 

Jonathan Schwartz
FileMaker 8 Certified  Developer
Associate Member, FileMaker Solutions Alliance
Schwartz & Company
jonathan at eschwartz.com
http://www.eschwartz.com
http://www.exit445.com

More information about the FX.php_List mailing list