Neville Burnell
2005-Mar-05 23:02 UTC
RE: Best practice to manage ''id'' hacking? - can Rails help?
> Have you tried it to make sure it actually works?Yep, it works.> What I would do in your situation is to modify the show action > on those controllers so that they don''t take the id from the URL> > but from the session. That way somebody accessing "/account/show" > or "/transaction/show" can only see their own details, and nobodyelse''s. This will make a fat session object. For example, a typical rails app will have a ''list'' action which sends a list of id''s to the browser. The user would select one of the objects from the list for the next action, eg, view. So it would mean stuffing the session with all the id''s. Still, it would avoid hacking all my ''find'' methods. I''m wondering if Rails can help out with this issue [id integrity] somehow ... For example, transparently encrypt and decrypt the object id/session id pair. This way, the app can naively send id=22 to the browser, which receives id=85736363484 say. Hacking the id would fail,due to the dependency on the session id. The browser sends back the long id, which is translated back to id=22 by Rails and then passed to the controller. Neville
Victor Jalencas
2005-Mar-06 09:10 UTC
Re: Best practice to manage ''id'' hacking? - can Rails help?
Neville Burnell wrote: > I''m wondering if Rails can help out with this issue [id integrity]> somehow ... For example, transparently encrypt and decrypt the object > id/session id pair. This way, the app can naively send id=22 to the > browser, which receives id=85736363484 say. Hacking the id would > fail,due to the dependency on the session id. The browser sends back the > long id, which is translated back to id=22 by Rails and then passed to > the controller.That wouldn''t be a good idea IMHO (except on very-high-security apps). You''d break the ability of the user of bookmarking certain pages. Also, you''d still be open to brute-force attacks. I think it''s better to just check the user is allowed in a case by case basis. Sometimes, there are public objects that all are allowed to see. Other times, you will want to use users as well as groups of users. Since it is very application specific, I don''t think mangling the URL should be left to rails. At most, what would be nice of rails is to provide convenience methods to find_all_by_whatever that implicitly filter by user and optionally that just take the user.id from the session if available. victor