Hiding URL query parameters - encrpytion, session, etc ?
Moderator: General Moderators
Hiding URL query parameters - encrpytion, session, etc ?
I have various parts of my application in which GET is used and various values are passed via url query parameters. Some of these values are sensitive data, such as primary key ids, i.e. account id, etc. What would the best way / practice to hide this data so that they aren't exposed to end users? I have so far though of using url encryption or maybe even sessions -- does anyone have any other ideas?
Also, what is there any particular data that should or shouldn't be hidden?
Also, what is there any particular data that should or shouldn't be hidden?
The only time I think it's a good idea to pass anything through the url is when you want that page (with the correct get variables) to be bookmarkable. Otherwise, use POST or SESSION.
For example, http://www.yourpage.com/page.php?page_n ... light=word
I would not do this:
http://www.yourpage.com/page.php?user_i ... hn%20Eaton
For example, http://www.yourpage.com/page.php?page_n ... light=word
I would not do this:
http://www.yourpage.com/page.php?user_i ... hn%20Eaton
What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5
Sounds like poor design actually.tdnxxx444 wrote:What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.tdnxxx444 wrote:What about cases in which I HAVE to use a query string, BUT there is a sensitive data in the query string. For example, I have a page with a listing of items sold by different users. I can click on an item, and it will take me to a page with all items sold by that particular user via query string. i.e. item_sold.php?user_id=5
I would like to stay away from javascript, as I want to support as many users as possible, and some still use some pretty primitive browsers.Everah wrote: You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.
Do you mean they SHOULD be able to view those items?Weirdan - What if ANY user can view items shold by a specific user?
Unless you implement appropriate access checks, which you should implement.hackers are given a gateway to modify, access certain data?
Please read some of these papers. Security through obscurity alone can't be considered adequate security practice.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Then don't use it. Use forms instead. Instead of lining out links, line out buttons that process a hidden field tha contains what you would have put into the query string.tdnxxx444 wrote:I would like to stay away from javascript, as I want to support as many users as possible, and some still use some pretty primitive browsers.Everah wrote: You don't have to use querystrings. I did away with querystring passing and went to forms, even for things like this. You can also use javascript form submits using links so that it simulates what you are used to. Passing any type of sensitive data, especially data that manipulates database information, by way of a querystring is dangerous. I'd stay away from it altogether.
To the people recommending POST over GET: you do realise that POST is just as insecure as GET?
tdnxxx444: Using GET for scenarios such as item_sold.php?userid=5 is just fine, providing you have sufficient authentication on item_sold.php. 'userid=5' isn't what I would class as "sensitive" data.
Sensitive data, for example, would be the persons password, or the persons billing info etc.
If you could post an example of what is causing you concern, we may be able to assist further, but until then all we can do is speculate.
tdnxxx444: Using GET for scenarios such as item_sold.php?userid=5 is just fine, providing you have sufficient authentication on item_sold.php. 'userid=5' isn't what I would class as "sensitive" data.
Sensitive data, for example, would be the persons password, or the persons billing info etc.
If you could post an example of what is causing you concern, we may be able to assist further, but until then all we can do is speculate.
Its often overlooked, and I don't know that it matters (much) in this scenario, but that statement isn't totally accurate. There is one difference that makes GET more insecure for some things: Referrer tags.Jenk wrote:To the people recommending POST over GET: you do realise that POST is just as insecure as GET?
If you are on my site, and you go to http://www.example.com?content=adult , and then load your company homepage, their apache logs will show thats where you came from.
So there is a slight difference, and it makes get slightly less secure, but it only applies in a very few situations. I doubt this is one of them, but I wanted to clarify that point.