Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security of segments
Security of segments
  • El Forum
    Guest
  •  
#1
11-03-2008, 01:48 PM

[eluser]CIfan1000[/eluser]
Hi,

If I have a controller that edits or adds a user profile, and I pass the UserID to the controller using segments, eg: controller/index/UserID, then obviously any user can change this URL in their browser, and edit any user's profile.

This concerns me since it is a security risk.

I have searched for terms like "segment security" and have not found anything in the forums.

I store the UserID in the table that has the profiles, and after authentication/login I store the current UserID in a session variable, so I can always check that the session UserID is = UserID in the table for a particular profile.

But if anyone else has any comments or suggestions, I would very much appreciate hearing from you.

Thanks and good coding!
  • El Forum
    Guest
  •  
#2
11-03-2008, 02:34 PM

[eluser]Colin Williams[/eluser]
It's only a security risk if you don't properly validate/access control the users request. It would be, for instance, downright stupid for your app to assume that because a numeric value in any form of user input is supplied (segment, post value, cookie..), that it authenticates or authorizes the action.

So, lets say a page can be edited at /pages/admin/edit/3. You are going to have to have some authorization checks in the 'edit' method.
  • El Forum
    Guest
  •  
#3
11-03-2008, 02:44 PM

[eluser]Colin Williams[/eluser]
One thing you don't want, though, is ambiguous URLs.
  • El Forum
    Guest
  •  
#4
11-03-2008, 03:16 PM

[eluser]Colin Williams[/eluser]
Short, sure. But it's ambiguous. Let's say you can share your profile. So, someone goes to their profile, copies 'http://www.example.com/profile' and sends it to a friend. Not gonna work, is it?

You could still have it as a shortcut, so long as it redirects correctly.
  • El Forum
    Guest
  •  
#5
11-03-2008, 04:23 PM

[eluser]CIfan1000[/eluser]
Dear Colin and jeremyapp,

Thank you both for your quick and as usual very helpful suggestions.

Passing the profile ID in a session variable is certainly a good idea.

However, being a newbie at this, I am not sure how to implement it. Please allow me to explain:

I have a "my listings" page where a user can see their listings. The way I was thinking of designing it was to have an edit link for each listing. E.g:

Listing 1 details.......
Edit >>

Listing 2 details......
Edit>>

I do not know, and am unable to imagine, how to set a session variable with the listingID when the user clicks on the appropriate Edit>> link.

The reason, so far, I was thinking of passing the listingID in a URI to a controller is because I can set the LIstingID as part of the URI in each Edit>> link.

If someone could please explain to me how to:

1) Have this functionality using a ListingID in a session variable (as jeremyapp suggests)
and/or
2) Using the listingID in the URI (as Colin suggests) and have it be secure

The way I am thinking of handling option 2) is: I store the UserID with each listing in the table that has the listings, and after authentication/login I store the current UserID in a session variable.

Then, during an edit for a listing, I can check that the session UserID is = UserID in the table for this listing. This way the user could only edit their own listings, even if they typed in a different URL in the address bar of their browser. Do you have any other suggestions Colin?

Thank you both in advance for your time, interest and effort!
  • El Forum
    Guest
  •  
#6
11-03-2008, 04:47 PM

[eluser]Colin Williams[/eluser]
With a solid user system, you should have access to the authenticated user object. Consider a user object with this prototype:

Code:
$user->uid;
$user->name;
$user->email;

Then, each of the listings would need to have a reference to the user who "owns" it (or you have another table that holds the reference).

So, you would load the requested listing by the id passed in the URI, and do a check. Let's consider the the listing object follows this prototype:

Code:
$listing->lid;
$listing->uid;
$listing->title;
$listing->description;

All you need to do, then, is pair up the uids:

Code:
if ($user->uid != $listing->uid)
{
   $data['error'] = 'Access denied';
   $this->load->view('general/error', $data);
}
  • El Forum
    Guest
  •  
#7
11-03-2008, 05:07 PM

[eluser]CIfan1000[/eluser]
Thanks Colin!

That's very helpful and I will implement this - thank you for sharing your experience with me. Again.

Wow - I am continuously impressed with how helpful and friendly people such as you are on CodeIgniter! I hope to be able to give back as I get more experienced.




Theme © iAndrew 2016 - Forum software by © MyBB