Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.
---------- Forwarded message ----------
From: Vinod K. [email protected]
Date: Sep 25, 2006 11:48 PM
Subject: [Rails] Encrypt URL Params, such as the id
To: [email protected]
Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.
–
Posted via http://www.ruby-forum.com/.
Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.
Bogdan I. wrote:
Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.
Unfortunately, that’s still not much of an improvement from a security
standpoint. Anyone who knows what they’re doing can do a “view source”
and hack around with the ids.
I would suggest putting the id in a session :
session[:the_id] = @the_id
On 26 Sep 2006, at 15:13, Jon C. wrote:
session[:the_id] = @the_id
This won’t be much use if you want to avoid ids being used in links.
You could go about it in a number of ways: in your models, hash a
certain field before_save and save it in a seperate field, you can
then use this field to search the record.
E.g. id, name, value, hashed_id (hash of id with a certain salt)
In routes, map /:controller/:action/:hashed_id.
But in general, this doesn’t provide anymore security than exposing
the id does.
You could also use a reversible encryption algorithm such as DES
combined with Base64 and encrypt the ID with it.
All of this is adding an overhead to your application which could
prove as useful as filling the ocean with buckets of water.
Best regards
Peter De Berdt
On 9/26/06, Vinod K. [email protected] wrote:
Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.
What are you really trying to accomplish here? Why is it bad if your
users know the IDs of your model objects?
– James
What I am trying to achieve is so that malicious users do not call
controller actions in a loop with all the IDs, thereby killing the
server.
-Vinod
Vinod K. wrote:
Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.What are you really trying to accomplish here? Why is it bad if your
users know the IDs of your model objects?– James
And what would happen if they just repeatedly threw randomly generated
parameters at it?
_Kevin
I would say that this kind of security by obfuscation is normally
unnecessary. If you encrypt the url values, what’s to stop me from
noting the encrypted values and spoofing a form to send the encrypted
values.
Surely the security should be in the application in that only methods
that should be exposed are exposed to general users.
Ross
On 9/26/06, Jon C. [email protected] wrote:
session[:the_id] = @the_id
–
Posted via http://www.ruby-forum.com/.
–
Ross R.
[email protected]
In that case, try and solve the problem you actually have, rather than
find ways to hide it.
There are plenty of ways you can prevent malicious users breaking an
application.
- Log the originating IP of requests and deny access after a certain
number of requests. - Create a token which is hashed and must be included in requests,
expire these after a certain amount of time. - Use a captcha form or similar principle to prevent automated
requests.
Such techniques are much more efficient since they provide security at
the point of the problem. As others have pointed out malicious users
can always find a way around obfuscation and you’ll find yourself
continually fighting fires with your code.
Ross
On 9/27/06, _Kevin [email protected] wrote:
–
Ross R.
[email protected]