how can I make the id's in the URL of my Rails 3 app more secure/obfuscated?

Question

My current app uses very basic user_id's and message_id's in the URL. I want to make the id's obfuscated so that it isn't easy for someone to manually change the id's and jump into someone else's messages and so forth.

How do I do that?

Answer 1

UUID. I am new to rails but I understand there to be a few options because I require the same security you want. First is a UUIDtools gem for random id's instead of sequential. Apparently Rails 3 supports uuid as a datatype but it is not widely used.

Answer 2

the question should be "how do I sign my URL parameters, so they cannot be changed".

Use a secret salt that only the backend code (server) knows about. Then do something like concatenate all parameters (in your case, just the id) together with the salt, and create a SHA hash. Append the hash to your URL. In your controller, add a before_filter to check for correctness of hash.

Now when someone changes the id, they would also have to regenerate the hash, which is impossible without the secret salt. You can improve on this, by using the session-id, timestamp, etc. as one of the components to account for timeouts, etc.