0

Guys i'have a question.

I'm currently buiding a wizard that has 5 step's until being completed.

The user starts by the first step where he generates the entry id. From there on i start passing the id over the url like this:

host.com/{controller}/{view}/{id}

This is how my url looks like after the step1, ------- currently at view step2 passing the id=120

host.com/{controller}/step2/120

This isn't safe because as you know, anyone can change the id and affect other users's entries. Ofc, it can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.

Now, my question is... is there a better way to do this? Any tips for future work? Is what i'm doing enougth? (begginer doubt praying for a expert awnser) Cheers

tereško
  • 58,060
  • 25
  • 98
  • 150
Lothre1
  • 3,523
  • 7
  • 43
  • 64
  • 1
    Store step/id in encrypted cookie, this way there us no way for client to modify it. – LeffeBrune Sep 13 '12 at 16:22
  • 1
    Recommend against this strategy... I've found it's a real pain. I would suggest putting your entire wizard data into one model and use jQuery to shift between "panes" of wizard pages, then submit at the end. – Jeremy Holovacs Sep 13 '12 at 16:24
  • By placing it all in Javascript, the ability to save partial progress becomes extremely challenging. – endyourif Sep 13 '12 at 17:41
  • Jeremy it's true, part of my wizard views are divided in subviews like: [[1,[1.1 Option,1.2 option,1.3 option]],[2,[2.1 Option,2.2 option,2.3 option]],...] but if i had to do all this topics in a single view it would be a pain. – Lothre1 Sep 15 '12 at 00:09

2 Answers2

1

If you are truly concerned about the user altering the ID in the URL, then you must spend the additional time adding an "isOwnedBy" like functionality.

As an additional security measure, you could pass it via a hidden variable in the form so it is at least not as easy to change as well.

Edit: I like @LeffeBrune's suggestion of encrypting the idea as well. However, I still suggest that the validation is performed on the function to ensure the user owns the object. It's just good practice.

endyourif
  • 2,186
  • 19
  • 33
  • A user could change form variables too. – jrummell Sep 13 '12 at 17:17
  • I totally agree with you, hidden variables work fine and I've though about it before. Actually, i'm using them at my wizard but not for this purpose. As jrummell said they are not completely safe but as you have said they do the job. Thank you for sharing your knowledge guys. I really appreciate it – Lothre1 Sep 15 '12 at 00:01
1

...It can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.

Yes, that's true. You should start there.

Here are some other things that you could do:

  1. You could make your entry ids Guids instead, so that a would-be hacker would never try to guess an entry id.
  2. Because using GET for sensitive data is a bad idea, you could, as endyourif suggests, pass the entry ids with hidden fields instead.
Community
  • 1
  • 1
Jim G.
  • 15,141
  • 22
  • 103
  • 166
  • I've found that GUIDS seems an interesting approach, as coockie method may also work (refered by LeffeBrune above) – Lothre1 Sep 15 '12 at 00:06