If you encrypt the id, you will still run into the same issue if people know what encryption algorithm you used. I would add a check on the Controller (I assume Servlet or Facelet) to verify that the user is an admin or that the id matches the id of the person logged in. I can't think of any other way besides the programmatic way, but I am not an expert.
People don't even need to know how you encrypted the user ID. They can just observe somebody else sending in an encrypted user ID and copy what that person sent in. That isn't as easy to do as just guessing random user IDs, or finding somebody else's user ID, but it's still a possible threat.
Adrian Burlington wrote:A relatively 'abstract security question' how can I avoid users to manipulate the URL and circumvent a security permission?
Since the user ID is the prime means of identifying a user it should never be visible to anyone or anything outside of the server. An approach to this is to use an encrypted cookie. When a user logs on he is sent an encrypted cookie that contains his user ID, time of generation (according to the server that created it), the login state, a random IV and a checksum/digest. Each subsequent request from the client takes with it the encrypted Cookie which decrypted by the server. The server then does some checks on the content of the Cookie value; as a minimum
1) it checks that the checksum/digest indicates that the Cookie has not been tampered with,
2) it checks that the Cookie was presented within N minutes (say 5) of being created (a window of use). If it has expired then the user is forwarded to the login page to restart the process.
3) The login state.
If it passes all the tests then it is accepted as valid and the request is actioned. When the results are passed back to the client a new values for the Cookie is generated and encrypted.
At no time is the user ID exposed to anyone outside of the server.
The Cookie values has a very limited lifetime before it expires which means the window available for reuse/copy to another computer is very very small.
The Cookie value cannot be forged.
If one desires that Cookies not be enabled then one can instead use a hidden field to contain the encrypted values.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Adrian Burlington
Ranch Hand
Joined: Jun 16, 2009
Posts: 75
posted
0
thank you all for the input!
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
subject: how to avoid URL manipulation? user place IDs on the url to get a result without permission
0
