Encrypt URL Params, such as the id

Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.

---------- Forwarded message ----------
From: Vinod K. [email protected]
Date: Sep 25, 2006 11:48 PM
Subject: [Rails] Encrypt URL Params, such as the id
To: [email protected]

Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.


Posted via http://www.ruby-forum.com/.

Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.

Bogdan I. wrote:

Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.

Unfortunately, that’s still not much of an improvement from a security
standpoint. Anyone who knows what they’re doing can do a “view source”
and hack around with the ids.

I would suggest putting the id in a session :

session[:the_id] = @the_id

On 26 Sep 2006, at 15:13, Jon C. wrote:

session[:the_id] = @the_id

This won’t be much use if you want to avoid ids being used in links.
You could go about it in a number of ways: in your models, hash a
certain field before_save and save it in a seperate field, you can
then use this field to search the record.

E.g. id, name, value, hashed_id (hash of id with a certain salt)

In routes, map /:controller/:action/:hashed_id.

But in general, this doesn’t provide anymore security than exposing
the id does.

You could also use a reversible encryption algorithm such as DES
combined with Base64 and encrypt the ID with it.

All of this is adding an overhead to your application which could
prove as useful as filling the ocean with buckets of water.

Best regards

Peter De Berdt

On 9/26/06, Vinod K. [email protected] wrote:

Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.

What are you really trying to accomplish here? Why is it bad if your
users know the IDs of your model objects?

– James

What I am trying to achieve is so that malicious users do not call
controller actions in a loop with all the IDs, thereby killing the
server.

-Vinod

Vinod K. wrote:

Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.

What are you really trying to accomplish here? Why is it bad if your
users know the IDs of your model objects?

– James

And what would happen if they just repeatedly threw randomly generated
parameters at it?

_Kevin

I would say that this kind of security by obfuscation is normally
unnecessary. If you encrypt the url values, what’s to stop me from
noting the encrypted values and spoofing a form to send the encrypted
values.

Surely the security should be in the application in that only methods
that should be exposed are exposed to general users.

Ross

On 9/26/06, Jon C. [email protected] wrote:

session[:the_id] = @the_id


Posted via http://www.ruby-forum.com/.


Ross R.
[email protected]

In that case, try and solve the problem you actually have, rather than
find ways to hide it.
There are plenty of ways you can prevent malicious users breaking an
application.

  1. Log the originating IP of requests and deny access after a certain
    number of requests.
  2. Create a token which is hashed and must be included in requests,
    expire these after a certain amount of time.
  3. Use a captcha form or similar principle to prevent automated
    requests.

Such techniques are much more efficient since they provide security at
the point of the problem. As others have pointed out malicious users
can always find a way around obfuscation and you’ll find yourself
continually fighting fires with your code.

Ross

On 9/27/06, _Kevin [email protected] wrote:


Ross R.
[email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs