[英]how can I make the id's in the URL of my Rails 3 app more secure/obfuscated?
My current app uses very basic user_id's and message_id's in the URL. 我当前的应用程序在URL中使用非常基本的user_id和message_id。 I want to make the id's obfuscated so that it isn't easy for someone to manually change the id's and jump into someone else's messages and so forth. 我想让id被混淆,以便有人手动更改id并跳转到别人的消息等等是不容易的。
How do I do that? 我怎么做?
the question should be "how do I sign my URL parameters, so they cannot be changed". 问题应该是“我如何签署我的URL参数,因此无法更改”。
Use a secret salt that only the backend code (server) knows about. 使用只有后端代码(服务器)知道的秘密盐。 Then do something like concatenate all parameters (in your case, just the id) together with the salt, and create a SHA hash. 然后做一些事情,比如连接所有参数(在你的情况下,只是id)和salt,并创建一个SHA哈希。 Append the hash to your URL. 将哈希附加到您的URL。 In your controller, add a before_filter to check for correctness of hash. 在您的控制器中,添加before_filter以检查哈希的正确性。
Now when someone changes the id, they would also have to regenerate the hash, which is impossible without the secret salt. 现在当有人更改id时,他们还必须重新生成哈希,如果没有秘密盐,这是不可能的。 You can improve on this, by using the session-id, timestamp, etc. as one of the components to account for timeouts, etc. 您可以通过使用session-id,timestamp等作为计算超时等的组件之一来改进这一点。
UUID. UUID。 I am new to rails but I understand there to be a few options because I require the same security you want. 我是rails的新手,但我知道有一些选项,因为我需要你想要的相同安全性。 First is a UUIDtools gem for random id's instead of sequential. 首先是随机id而不是顺序的UUIDtools gem。 Apparently Rails 3 supports uuid as a datatype but it is not widely used. 显然Rails 3支持uuid作为数据类型,但它没有被广泛使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.