• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
validating access by url

#1
Hi all,

I have a multiuser application and the user can access to http://myapp/bills/edit/1 to edit the bill with id 1.

Looking at that url the user can modify it to http://myapp/bills/edit/2 to edit the bill with id 2

But maybe the bill with id 2 belongs to another user!!

there is a way to control that kind of accesses?? maybe with any configuration? To check it in database will be a lot of work (I have several controllers)

Thanks in advance

My apologies if it's a duplicated thread ...
Reply

#2
Use a session for each user. Session data has their uid. If session uid and uid do not match they can't access that page/url.
Simpler is always better
Reply

#3
Hi donpwinston,

I don't get you. I'm already using sessions. Is a correctly logged user who can access to that url and not should to ...
Reply

#4
I think this is very straight forward. You have a user requesting information. The first thing to do is to see if that user has permission to access that information. i.e. does bill id 2 belong to that user or not. If not, they get an error message.

Less straight forward is using id's in urls. Your bill should be assigned a unique code upon creation, so the request url is more like:

Code:
Not:
http://myapp/bills/edit/1

But:
http://myapp/bills/edit/jh234hdhpewsdkfj

Now what are you going to change to guess the next bill? Even if you do guess a bill code, you will not have permission to view it anyway. Also, if I get a new bill marked id=27, I can now guess you have issued 27 bills. With a code, you have no idea.

I would never user an id in a url. All my resources are accessed via a code, normally 16 characters long. But you MUST still make sure that the requesting user actually has permission to access the requested resource.

Hope that helps,

Best wishes,

Paul.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.