Forums / Developer / Revealing user ID & security

Revealing user ID & security

Author Message

Piotrek Karaś

Tuesday 12 August 2008 7:29:08 am

Hi all,

Do you think revealing user ID (actual ID, not NodeID) in the forms or URLs could be potentially risky for any reason?

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Piotrek Karaś

Friday 15 August 2008 11:27:27 pm

Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all...

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Sunday 17 August 2008 7:23:02 am

Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Sunday 17 August 2008 8:11:36 am

Oh, yeah, but then it wouldn't be the best practice in any case, I suppose.

I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID.

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu