Social Site Security

Juniper747 · 11-29-2011, 05:23 AM

I am working on a social dynamic website... Right now, many of my site pages use the member's id (or $id) and a friends id (or $f_id) to process information between different websites....

For example, when comparing common events between a logged in member and his/her friend, I may have a link like so:

Code:

<a http://localhost/commonfriends.php?id=$id&f_id=$f_id> Common Stuff </a>

So my question is: is it secure to be sending user id's over the open air like this? Since anyone can just grab it. I mean I know its not as bad as sending a password, but are there any drawbacks, things I should be aware of...

Or even better, is there a way to just hide the part of the URL that shows the id's?

Or should I encrypt the id's somehow?

BluePanther · 11-29-2011, 05:30 AM

What's so bad about people seeing user ID's? They can't use it in any way, as they will have to access your database to get information about the user.

Specifically, what bothers you about people knowing user ID's?

Juniper747 · 11-29-2011, 02:08 PM

I guess I feel like if someone had a member's user id, they could somehow use it to hack into their account or maybe change stuff around...

Arnaud · 11-29-2011, 02:13 PM

You could encrypt the IDs but that won't stop someone from decrypting it. The question to ask yourself - I think, as BluePanther suggested - would be: What could someone do with those user IDs?

Adee · 11-29-2011, 02:47 PM

the point is to make it so they can't do anything with their IDs.

try to cover all your bases.. for example, create a log out link and generate a hash based on elements of the user's account.. that way if someone visits the link trying to log that person out, they can't do it

Truffle · 11-29-2011, 03:48 PM

Quote:

Originally Posted by Adee

the point is to make it so they can't do anything with their IDs.

try to cover all your bases.. for example, create a log out link and generate a hash based on elements of the user's account.. that way if someone visits the link trying to log that person out, they can't do it

You just have to make sure your code doesn't allow that.(for instance, setup a table of session keys that should correspond to a userid and the user has to have a cookie that holds a matching session id)

Even facebook sends id numbers through the URL. There's nothing insecure about that. But there could insecurities in what you do with those IDs somewhere else in your code.

So sending IDs in the URL is not the problem

BluePanther · 11-29-2011, 04:52 PM

Exactly like Truffle said. You are controlling your site's output.

Facebook sends user ID's in the url, which isn't a problem. The ID can only be used in certain pages, and those pages determine many things like 'is this the viewer's profile?' and 'is this a friend of the viewer?' along with 'is this viewer logged in at all?', then formats the output accordingly.

So, if your output is fixed like that, then the 'hacker' needs to access the database itself to get any information about the user. That means he'll either have to plant a file on your server (if you don't allow remote SQL access) or SQL inject your script. Hopefully you're protecting queries using mysql_real_escape_string(), meaning he'll actually have to run a script on your server, with your mysql credentials, to do anything with that ID. Highly unlikely.

TL;DR - don't worry about unique identifiers in URL's because they don't have a direct effect on site security.

Juniper747 · 11-30-2011, 01:16 AM

Great stuff, thanks for the support!