Reputation: 25132
Dealing with people modifying ID's in links
I'm writing a web app in PHP (using Codeigniter). I'm just wanting some security advice here. I have a task controller with a delete method. The link to delete the task is then http://localhost/task/delete/12345
So I'm wondering how to handle the fact that people have the ability to modify the link, thus deleting another task (probably not their own).
So my options I guess are to always do a check that the user owns that particular task before deleting it, or some sort of ID hashing?
Does anyone have any suggestions?
Upvotes: 1
Views: 86
Answers (5)
Reputation: 6112
You can use session to store the item's id to delete and then on the delete page you check that the id given is equal to the session stored id.
Hope it helps you
Upvotes: 0
Reputation: 22982
So my options I guess are to always do a check that the user owns that particular task before deleting it
Yup, that's it. There's no point in hashing an id, as if some user guesses another hash id he might delete a task from another user (that would be security through obscurity, and it's not a great security method). So, yes, chech that the task belongs to the user before deleting it.
Also, it isn't clear from your question, but to delete something, the user should go to blablah.com/tasks/delete/1234, and then confirm to delete the task via POST (submitting a form by clicking a button probably).
Upvotes: 2
Reputation: 2968
It is not recommended to update/delete your data via an http get request. Use post instead.
Upvotes: 2
Reputation: 522382
Yes, check whether the user is allowed to delete that task and respond with an
HTTP/1.1 403 Forbidden if he isn't. Also, make destructive actions like deleting records POST requests. Otherwise watch Google (or some other fetcher-type client) happily triggering all your delete actions.
Upvotes: 2
Reputation: 449613
So my options I guess are to always do a check that the user owns that particular task before deleting it
that is the usual, and best, approach, yes. Hashing the ID is too insecure for many use cases: The link containing the hash is stored in the browser's history, might get E-Mailed around, be present in REFERER headers for outgoing links....
Either check ownership, or use a full-blown Access Control List, depending on how complex the permissions are.
Upvotes: 3
Related Questions
- how to protect an ID in the url with php?
- Protecting against record ID manipulation
- Not to allow user to change values in a link
- How to prevent authorized users to view or modify via links?
- PHP - Prevent client from tampering the ID of a form
- Some way how "to prevent" user to modify url
- Security rules for links submitted by users in PHP
- Maximum possible security with a fixed link
- Securing variables carried in links
- Php: How can I prevent attacks from url links written by users?