[FX.php List] Obscuring the recid on URL links
Kevin Futter
kfutter at sbc.melb.catholic.edu.au
Sun Aug 27 18:36:07 MDT 2006
On 28/8/06 10:22 AM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:
> Thanks Kevin,
>
> With the use of a randomly generated 20 character ID used in place of
> the recid (detail.php?newid=1234567890-1234567890), how would folks
> be able to access random records? Through luck or brute force?
>
> Call me silly, but how likely is that?
>
> I guess that I could double the character string length and even add
> a counter for failed attempts by remote IP.
>
> How much is enough/too much?
>
> Jonathan
I'd say what you have now is enough. The only serious threats you'd face is
from someone who's realised that your keys are randomly generated, and
writes a bot to loop through and submit some (thousands) possibilities. As
you've noted, it isn't very likely, and your suggested response is probably
close to the mark anyway. (I'd actually test that no single remote IP is
polling the db more than, say, once per second. If you're using sessions,
this should be quite easy to track.)
--
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/
------------------------------------------
This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free. The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.
More information about the FX.php_List
mailing list