Rails - Mar 2005 - RE: Best practice to manage ''id'' hacking? - can Rails help?

> Have you tried it to make sure it actually works?
Yep, it works.
> What I would do in your situation is to modify the show action
> on those controllers so that they don''t take the id from the
URL>
> but from the session. That way somebody accessing "/account/show"
> or "/transaction/show" can only see their own details, and nobody
else''s.

This will make a fat session object. For example, a typical rails app
will have a ''list'' action which sends a list of id''s
to the browser. The
user would select one of the objects from the list for the next action,
eg, view. So it would mean stuffing the session with all the id''s.

Still, it would avoid hacking all my ''find'' methods.

I''m wondering if Rails can help out with this issue [id integrity]
somehow ... For example, transparently encrypt and decrypt the object
id/session id pair. This way, the app can naively send id=22 to the
browser, which receives id=85736363484 say. Hacking the id would
fail,due to the dependency on the session id. The browser sends back the
long id, which is translated back to id=22 by Rails and then passed to
the controller.

Neville

Neville Burnell wrote:
  > I''m wondering if Rails can help out with this issue [id
integrity]
> somehow ... For example, transparently encrypt and decrypt the object
> id/session id pair. This way, the app can naively send id=22 to the
> browser, which receives id=85736363484 say. Hacking the id would
> fail,due to the dependency on the session id. The browser sends back the
> long id, which is translated back to id=22 by Rails and then passed to
> the controller.
That wouldn''t be a good idea IMHO (except on very-high-security apps). 
You''d break the ability of the user of bookmarking certain pages. Also,
you''d still be open to brute-force attacks.

I think it''s better to just check the user is allowed in a case by case
basis. Sometimes, there are public objects that all are allowed to see. 
Other times, you will want to use users as well as groups of users. 
Since it is very application specific, I don''t think mangling the URL 
should be left to rails.

At most, what would be nice of rails is to provide convenience methods 
to find_all_by_whatever that implicitly filter by user and optionally 
that just take the user.id from the session if available.

victor