Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How To Provent URL variable tampering?

Status
Not open for further replies.
scorniglia

scorniglia

Technical User
Jul 10, 2001
13
US
Hi,
I am passing a variable to a form through a url that contains an id variable and CF session variables. This works fine but anyone can just the change the variable in the url and see someone elses data. So if the original url is:

main.cfm?id=36

someone can just change it to main.cfm?id=20 in the address bar, hit the enter key and see the data for the person with id 20. What is the best way to prevent this or obscure the url so it is not evident what needs to be changed?

I though about adding the id, cfid, and cftoken to one long number and then checking for this number on each subsequent page, but am not sure what would be the best way to institute this. Any ideas or thoughts about this are
appreciated. What do other people do in this scenario?

--
Regards,
Roy F.
 
Sort by date Sort by votes
You can use either session or client variables to store this id, instead of passing it through the URL. ColdFusion can then reference the session or client variable based on the cfid and cftoken, which can be passed in cookies, the URL, or form fields (via the GET method, which just makes them URL variables anyway).

-Tek
 
Upvote 0 Downvote
Thanks Tek,

I guess a session variable is probably the way to go. So what I would do is assign the id to a session variable at login and then on subsequent pages compare the session id to the id passed in the url to be sure they're the same. Makes sense. thanks again.

Regards,
Roy F.
 
Upvote 0 Downvote
For added security...

I always make a users ID a random 8 character number.
That way they have a tougher time trying to hit it.

When I have info only a specific user can edit.. I assign a session variable to the ID and their Security level on login.

I can than allow certain level users to edit anyone account or limit the choices if they are changing their own. Certainly preventing access to others.

David McIntosh
 
Upvote 0 Downvote
If you use session or client variables to store identifcation numbers, it doesn't matter whether you use a UUID or integer for the unique identifier, as the client side will never even get ahold of that data or pass it in any way. If you must pass identifiers through a URL or FORM, encrypting the variables would be the best way, second to the safest of not passing them at all.

-Tek
 
Upvote 0 Downvote
faq232-1926

A not only shameless plug, but helpful too.. The above faq gives you a short tutorial on CFLOCK and sessions.. a way to save you a lot of time and maintain data, and script integrity..

I recommend using session variables or at least cookies, encrypting the data in them as Teknology suggested..

If you're building the site for any kind of security, sessions are the way to go... or if you're building it for developers.. trust me, developers hate the sites they depend on to be insecure...

Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
712
LyndonOHRC
LyndonOHRC
FALCONSEYE
  • Locked
  • Question
Error: no known VMs. (check for corrupt jvm.cfg file) !!! How I Fixed It !!!
Replies
0
Views
784
FALCONSEYE
FALCONSEYE
Mike Lewis
  • Locked
  • Question
Using Dreamweaver to maintain a site not created in Dreamweaver
Replies
2
Views
690
Mike Lewis
Mike Lewis
lollieleaver
  • Locked
  • Question
Dreamweaver CS4 - how can I make an Access database downloadable from my site?
Replies
2
Views
249
lollieleaver
lollieleaver
lwfg
  • Locked
  • Question
client variables disappearing
Replies
0
Views
177
lwfg
lwfg

Part and Inventory Search

Sponsor

Back
Top