Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
cesark
Posting Yak Master
215 Posts |
 Posted - 2004-05-20 : 05:43:22
|
| Is it dangerous, for security reasons, that a web application user can see its User_id (the Users table key value)? In affirmative case, What is the best way or technique of passing a unique reference to the user corresponding to its User_id?Thank you,Cesar |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2004-05-20 : 05:53:08
|
| The web application should be in house and secure.If you mean passing it to the client and returning it then that's dubious.Usually use some session id held in the database to make sure they are still logged in.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
cesark
Posting Yak Master
215 Posts |
Posted - 2004-05-20 : 07:03:43
|
| Yes, I mean passing that User_id to the client and returning it. This is dubious? What is the difference between passing a Product_id, Invoice_id, State_id, Post_id,.. and User_id? |
|
|
|
mohdowais
Sheikh of Yak Knowledge
1456 Posts |
Posted - 2004-05-20 : 08:20:43
|
| I am not quite sure what you mean by "web application user can see its user_id". Are you refering to the practice of passing the userid around in the query string? If that's what you mean, it depends on the level on sensitivity of your data. Of course, you should try and minimize the amount of data that is visible in the URL, which makes it easier for people to spoof, change, possibly crashing your application and leaving you susceptible to injection attacks. Of course, some applications just need to be designed that way, but there are ways around it. For example you can use cookies or session level variables to store this information, or include it in form POSTs through hidden variables. Each method has its advantages and disadvantages, and the best method is the one that suits your application best. If you are really concerned about the user being able to see the userid in the querystring, but your application design requires you to have it as part of the querystring, you can choose to encrypt the userid.OS |
|
|
|
cesark
Posting Yak Master
215 Posts |
Posted - 2004-05-20 : 10:45:56
|
| I am considering storing this data in a cookie, because my aim is to follow the user for all the website, regardless if the private authenticated session has expired or not.My real doubt is if it’ s necessary to encrypt this data (User_id), since it seems equal to other data that is visible to the user, like a Product_id. I am not an expert in security, and if I encrypt or protect some data I need a reason.Do you have some reason to recommend me to encrypt the User_id in a cookie? I am asking it because I am not totally sure, and is the first time that I want to implement such system to follow the user behavior through the entire site, once authenticated, regardless of the session time.Thanks |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2004-05-20 : 13:18:20
|
| When the user starts a session they will have to log in.If you pass the user ID and validate on that then all someone has to do is pass the same url (e.g. by using the history in the browser) and you would have no way of knowing whether this is a current session or not or even from the same PC.You need something from the client which ensures that the dialogue is comming from the current session.Simplest method is allocating a session iD when the user logs in (and invalidating all other sessions for that user). This gets passed on every page and the first action is to check the session ID to make sure it is a valid session and hasn't timed out. You can pass the user ID as well as an extra check but you need something which is specific to that connection.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
cesark
Posting Yak Master
215 Posts |
Posted - 2004-05-20 : 13:29:37
|
| Ok, thank you! |
|
|
|
|
|
|
|
|
Passing the User_id key value to the application