CodeIgniter Forums

Full Version: Is it more secure passing data through session data or through the URI?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

I have a website that stores lots of members detail through ID numbers. Members can communicate with each other and at the moment, ID numbers are being passed through the URI when members message other members. I have checks in place to make sure that URI's are valid but I was thinking it is more secure to pass member ID data using session data instead? Does this make the system much more secure?

El Forum

First, it's always more secure, if you don't show off any possibly sensitive data to a user (either by URI or some text on your page). But you need to be sure about, how sensitive this data is. If you have like in your case user-ids in the URI, and these are auto-incremental ones, then you shouldn't show them to anybody. Either you change you user-IDs to some alpha(-numeric) string or you will process them via post-values.
For your application as well I'm not sure if you can do it with sessions (by the way: sessions can be read by the end-user, too, and changed as well Wink ).

The most ulterior way to process data in your case would be to do POST-requests - but anyhow checking the data to be valid.

And never forget the golden rule: Never trust user input Wink