[FX.php List] Obscuring the recid on URL links

Jonathan Schwartz jonathan at eschwartz.com
Sun Aug 27 18:49:43 MDT 2006 

Yes, I am using sessions and can watch remote IP hits.  On this 
particular project, the database is only going to be up for a short 
time (several weeks), but I am also looking at the bigger picture.  I 
suppose that I can also change the random string to include alpha 
with upper and lower case.  That should really do it.

Thanks

Jonathan


At 10:36 AM +1000 8/28/06, Kevin Futter wrote:
>On 28/8/06 10:22 AM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:
>
>>  Thanks Kevin,
>>
>>  With the use of a randomly generated 20 character ID used in place of
>>  the recid (detail.php?newid=1234567890-1234567890), how would folks
>>  be able to access random records?  Through luck or brute force?
>>
>>  Call me silly, but how likely is that?
>>
>>  I guess that I could double the character string length and even add
>>  a counter for failed attempts by remote IP.
>>
>>  How much is enough/too much?
>>
>>  Jonathan
>
>I'd say what you have now is enough. The only serious threats you'd face is
>from someone who's realised that your keys are randomly generated, and
>writes a bot to loop through and submit some (thousands) possibilities. As
>you've noted, it isn't very likely, and your suggested response is probably
>close to the mark anyway. (I'd actually test that no single remote IP is
>polling the db more than, say, once per second. If you're using sessions,
>this should be quite easy to track.)
>
>--
>Kevin Futter
>Webmaster, St. Bernard's College
>http://www.sbc.melb.catholic.edu.au/
>
>
>
>------------------------------------------
>This e-mail and any attachments may be confidential.  You must not 
>disclose or use the information in this e-mail if you are not the 
>intended recipient.  If you have received this e-mail in error, 
>please notify us immediately and delete the e-mail and all copies. 
>The College does not guarantee that this e-mail is virus or error 
>free.  The attached files are provided and may only be used on the 
>basis that the user assumes all responsibility for any loss, damage 
>or consequence resulting directly or indirectly from the use of the 
>attached files, whether caused by the negligence of the sender or 
>not.  The content and opinions in this e-mail are not necessarily 
>those of the College.
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 

Jonathan Schwartz
FileMaker 8 Certified  Developer
Associate Member, FileMaker Solutions Alliance
Schwartz & Company
jonathan at eschwartz.com
http://www.eschwartz.com
http://www.exit445.com

More information about the FX.php_List mailing list