[RESOLVED] Social Site Security

juniper747

I am working on a social dynamic website... Right now, many of my site pages use the member's id (or $id) and a friends id (or $f_id) to process information between different websites....

For example, when comparing common events between a logged in member and his/her friend, I may have a link like so:

<a http://localhost/commonfriends.php?id=$id&f_id=$f_id> Common Stuff </a>

So my question is: is it secure to be sending user id's over the open air like this? Since anyone can just grab it. I mean I know its not as bad as sending a password, but are there any drawbacks, things I should be aware of...

Or even better, is there a way to just hide the part of the URL that shows the id's?

Or should I encrypt the id's somehow?

dagon

would if matter if i changed the id in the url? if yes, then don't do it that way.

traq

more specifically, is $id or $f_id used to access any information that should be secure (in this example, or anywhere on the site)?

if "anyone" is allowed to look at "anything," then fine. but I would expect that's not the case (especially if I were a user on your site).

Weedpacket

Certainly you shouldn't rely on the content of a URL for communicating anything sensitive; a URL could contain anything and come from anyone.

In your example, you have the logged-in user's ID as part of the URL: this is both redundant (you already have the logged-in user's ID, right?) and open to abuse(anyone could change it to anything they want). Also, is the "friend" cited in the URL really a friend of the user? What you have isn't for comparing "common events between a logged in member and his/her friend", but for "common events between any two arbitrary members".

In short: URLs are totally insecure: always determine that the user making a request is authorised to make it.

However, it seems clear that there needs to be some sort of publicly-usable mechanism for identifying arbitrary members, else how will they ever be able to refer to each other? (Incidentally, notice how this site does it.)

shark4102

Could we store this in a SESSION or POST it to the next page?

johanafm

I am assuming you require the user to login as to authenticate themselves. After this point, you should allready have the user's id in $_SESSION and use it to keep track of which user is which.

Wether you pass stuff around in URL or POST data doesn't matter. It's just slightly easier to modify an existing url than creating your own post request, but not by much.

So pass the friend id around any way you like. Just make sure that the one claiming to be friends with that person is logged in and that their user_id has such a friend.

juniper747

johanafm;10992006 wrote:
I am assuming you require the user to login as to authenticate themselves. After this point, you should allready have the user's id in $_SESSION and use it to keep track of which user is which.

Wether you pass stuff around in URL or POST data doesn't matter. It's just slightly easier to modify an existing url than creating your own post request, but not by much.

So pass the friend id around any way you like. Just make sure that the one claiming to be friends with that person is logged in and that their user_id has such a friend.

johanafm;10992006 wrote:
I am assuming you require the user to login as to authenticate themselves. After this point, you should allready have the user's id in $_SESSION and use it to keep track of which user is which.

Yes I have a code that I run at the top of every php page of my site:

<?php
include_once("scripts/checkuserlog.php");
?>
This code checks to see if 
[CODE] 
isset($_SESSION['id']

If so, then its sets some options that run across the top of every page, such as user's Name, Home, Logout, Account Settings etc.

THen on pages where I have a logged in member looking at someone eles profile or friends page, I also add this (to grab the other users ID):

if ($_GET['id']) {
    $id = $_GET['id'];
}

And then I have another mysql query to check a table in the database to see if both members are "friends."

Is this sufficient or overkill?

johanafm

I'd say it's sufficient and necessary.

juniper747

Thanks!