3

I'm using intraweb and it gives me 3 options for passing parameters.

  1. Using a ?param in the url
  2. Using hidden fields
  3. Using cookies

As far as my code is concerned which option I choose doesn't really matter, the framework abstracts me from that.

But, which one is more secure against tampering by the user?

Johan
  • 74,508
  • 24
  • 191
  • 319
  • @All thanks for answering the question. I had a notion that hidden fields where somehow secure against manipulation. Thanks for curing me of that mistaken belief. – Johan May 22 '11 at 20:15

5 Answers5

4

Passing data in URL parameters risks exceeding the length limit on URLs and can interfere (or be a feature!) with bookmarks. Passing as cookies risks the user having turned cookies off (or the client not supporting cookies). Passing as hidden fields is the most portable.

None of the methods in themselves provide any level of security.

EDIT: One suggestion in the excellent article that lance pointed to is to store your sensitive data on the server and only transmit a cookie to the client. This is a different use of the term cookie and should more properly be called a session id, which can be transmitted back and forth between the server and client using any of the three methods you are considering.

Ted Hopp
  • 232,168
  • 48
  • 399
  • 521
1

They are all easily duplicated / modified using freely available tools, so I would say use whichever suits your application the best - they are equivalent in terms of security, none of them should be trusted.

Consider using a crypto hash issued by the server-side to prevent tampering whichever option you go for.

Nathan
  • 6,095
  • 2
  • 35
  • 61
0

From the security point of view, all of them should be treated the same on the server. Just because a variable is passed through pigeon transfer instead of GET, that doesn't mean it's safe. It's still coming from the evil user.

So make sure you use the exact same safety mechanisms for all of them.

rid
  • 61,078
  • 31
  • 152
  • 193
0

None of them are secure (though it's not clear what kind of security you mean exactly).

One obvious difference of course is that url params are always visible - if a user creates a bookmark or sends an URL to somebody, the parameter goes with it.

marapet
  • 54,856
  • 12
  • 170
  • 184
0

To what is already said I would like to add that when You have params in url it let's user create bookmarks - http://bikes.com/catalog.aspx?category=downill [not real address]. So that may be better in some cases then the other two options.

Piotr Perak
  • 10,718
  • 9
  • 49
  • 86