how can I make the id's in the URL of my Rails 3 app more secure/obfuscated?
Question
My current app uses very basic user_id's and message_id's in the URL. I want to make the id's obfuscated so that it isn't easy for someone to manually change the id's and jump into someone else's messages and so forth.
How do I do that?
2 answers
solution1
2 2011-03-26 06:23:02
the question should be "how do I sign my URL parameters, so they cannot be changed".
Use a secret salt that only the backend code (server) knows about. Then do something like concatenate all parameters (in your case, just the id) together with the salt, and create a SHA hash. Append the hash to your URL. In your controller, add a before_filter to check for correctness of hash.
Now when someone changes the id, they would also have to regenerate the hash, which is impossible without the secret salt. You can improve on this, by using the session-id, timestamp, etc. as one of the components to account for timeouts, etc.
solution2
0 2011-03-26 06:30:37
UUID. I am new to rails but I understand there to be a few options because I require the same security you want. First is a UUIDtools gem for random id's instead of sequential. Apparently Rails 3 supports uuid as a datatype but it is not widely used.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.