How to link from item list to item detail

[Malin Ljungh <ma...@kvadrat.se>]

I'm writing an application where logged in users can create "items". User
can then list their items and by following a link (DirectLink) they will
reach the item details page where the selected item can be edited. This is a
typical scenario which I imagine occurs in many apps.

I have implemented the link with a DirectLink which has the item ID as
parameter. In the listener I will create the page, set the ID on the page
object and the return the page object. It works fine!

The thing is that a user can reach other users items by editing the URL for
the detail page - the URL ends with i.e.
...&sp=3
where 3 is the item ID.

This means I will have to check on the details page that the item to be
shown is indeed owned by the current user.
OK, I can do that, but is there maybe a better way to perform the link?

/Malin

Re: How to link from item list to item detail

[Malin Ljungh <ma...@kvadrat.se>]

Thank you Dave for an excellent answer. Clear as crystal.

As the coward I am I will implement the check instead of the hash.

Peace in return,
Malin

On 9/6/06, David Harkness <dh...@azureus-inc.com> wrote:
>
> Malin Ljungh wrote:
> > This means I will have to check on the details page that the item to be
> > shown is indeed owned by the current user.
> > OK, I can do that, but is there maybe a better way to perform the link?
>
> Hi Malin,
>
> If you don't enforce the rule by checking on the server, no matter what
> you do malicious users will be able to bypass client-side security.
> However, you can at least make it more difficult.
>
> One method is to not expose your object identifiers to the client.
> Instead, create a hash of the ID (or some other unique attribute) along
> with some secret "salt" value (i.e. you hash the ID appended to an
> internal secret value). Use this hash to generate your links.
>
> Thus, instead of linking to "...&id=45" you link to
> "...&id=472b891c7a7d21f2". The likelihood that a user will be able to
> guess a hash value will be much less than a that of guessing a valid ID
> which is probably a sequence. While incredibly small, the probably is
> not zero. This is known as "security through obfuscation" and is not
> truly secure. It's like hiding your spare house key under your
> *neighbor's* mat -- unlikely for a robber to look there, but not
> impossible.
>
> Peace,
> Dave
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

Re: How to link from item list to item detail

[David Harkness <dh...@azureus-inc.com>]

Malin Ljungh wrote:
> This means I will have to check on the details page that the item to be
> shown is indeed owned by the current user.
> OK, I can do that, but is there maybe a better way to perform the link?

Hi Malin,

If you don't enforce the rule by checking on the server, no matter what 
you do malicious users will be able to bypass client-side security. 
However, you can at least make it more difficult.

One method is to not expose your object identifiers to the client. 
Instead, create a hash of the ID (or some other unique attribute) along 
with some secret "salt" value (i.e. you hash the ID appended to an 
internal secret value). Use this hash to generate your links.

Thus, instead of linking to "...&id=45" you link to 
"...&id=472b891c7a7d21f2". The likelihood that a user will be able to 
guess a hash value will be much less than a that of guessing a valid ID 
which is probably a sequence. While incredibly small, the probably is 
not zero. This is known as "security through obfuscation" and is not 
truly secure. It's like hiding your spare house key under your 
*neighbor's* mat -- unlikely for a robber to look there, but not impossible.

Peace,
Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org