Forums / Developer / Revealing user ID & security
Piotrek Karaś
Tuesday 12 August 2008 7:29:08 am
Hi all,
Do you think revealing user ID (actual ID, not NodeID) in the forms or URLs could be potentially risky for any reason?
Thanks,Piotrek
-- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
Friday 15 August 2008 11:27:27 pm
Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all...
André R.
Sunday 17 August 2008 7:23:02 am
Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights)
eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription @: http://twitter.com/andrerom
Sunday 17 August 2008 8:11:36 am
Oh, yeah, but then it wouldn't be the best practice in any case, I suppose.
I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID.
Script start
Module start 'content'
Module end 'content'
Script end
Time used to render debug report: 0.0002 secs