Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Apr 2011
    Posts
    92
    Thanks
    26
    Thanked 0 Times in 0 Posts

    Social Site Security

    I am working on a social dynamic website... Right now, many of my site pages use the member's id (or $id) and a friends id (or $f_id) to process information between different websites....

    For example, when comparing common events between a logged in member and his/her friend, I may have a link like so:

    Code:
    <a http://localhost/commonfriends.php?id=$id&f_id=$f_id> Common Stuff </a>
    So my question is: is it secure to be sending user id's over the open air like this? Since anyone can just grab it. I mean I know its not as bad as sending a password, but are there any drawbacks, things I should be aware of...

    Or even better, is there a way to just hide the part of the URL that shows the id's?

    Or should I encrypt the id's somehow?

  • #2
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    What's so bad about people seeing user ID's? They can't use it in any way, as they will have to access your database to get information about the user.

    Specifically, what bothers you about people knowing user ID's?

  • #3
    New Coder
    Join Date
    Apr 2011
    Posts
    92
    Thanks
    26
    Thanked 0 Times in 0 Posts
    I guess I feel like if someone had a member's user id, they could somehow use it to hack into their account or maybe change stuff around...

  • #4
    Regular Coder
    Join Date
    Jan 2008
    Location
    Geneva, Switzerland
    Posts
    413
    Thanks
    12
    Thanked 29 Times in 29 Posts
    You could encrypt the IDs but that won't stop someone from decrypting it. The question to ask yourself - I think, as BluePanther suggested - would be: What could someone do with those user IDs?
    Chuck Norris counted to infinity.
    Twice.

  • #5
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    the point is to make it so they can't do anything with their IDs.


    try to cover all your bases.. for example, create a log out link and generate a hash based on elements of the user's account.. that way if someone visits the link trying to log that person out, they can't do it

  • #6
    New Coder
    Join Date
    Feb 2006
    Location
    Texas
    Posts
    80
    Thanks
    1
    Thanked 8 Times in 8 Posts
    Quote Originally Posted by Adee View Post
    the point is to make it so they can't do anything with their IDs.


    try to cover all your bases.. for example, create a log out link and generate a hash based on elements of the user's account.. that way if someone visits the link trying to log that person out, they can't do it
    You just have to make sure your code doesn't allow that.(for instance, setup a table of session keys that should correspond to a userid and the user has to have a cookie that holds a matching session id)

    Even facebook sends id numbers through the URL. There's nothing insecure about that. But there could insecurities in what you do with those IDs somewhere else in your code.

    So sending IDs in the URL is not the problem

  • #7
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Exactly like Truffle said. You are controlling your site's output.

    Facebook sends user ID's in the url, which isn't a problem. The ID can only be used in certain pages, and those pages determine many things like 'is this the viewer's profile?' and 'is this a friend of the viewer?' along with 'is this viewer logged in at all?', then formats the output accordingly.

    So, if your output is fixed like that, then the 'hacker' needs to access the database itself to get any information about the user. That means he'll either have to plant a file on your server (if you don't allow remote SQL access) or SQL inject your script. Hopefully you're protecting queries using mysql_real_escape_string(), meaning he'll actually have to run a script on your server, with your mysql credentials, to do anything with that ID. Highly unlikely.

    TL;DR - don't worry about unique identifiers in URL's because they don't have a direct effect on site security.

  • #8
    New Coder
    Join Date
    Apr 2011
    Posts
    92
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Great stuff, thanks for the support!


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •