Revealing user ID & security

Next topic

Author	Message
Piotrek Karaś	Tuesday 12 August 2008 7:29:08 am Hi all, Do you think revealing user ID (actual ID, not NodeID) in the forms or URLs could be potentially risky for any reason? Thanks, Piotrek -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
Piotrek Karaś	Friday 15 August 2008 11:27:27 pm Or maybe another way: is revealing object ID risky at all? User ID is a content object ID after all... -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
André R.	Sunday 17 August 2008 7:23:02 am Only if you use only visually block certain users from being able to do something with a object. (eg code in templates to decide on who should see edit / delete button based on something else then actually user rights) eZ Online Editor 5: http://projects.ez.no/ezoe \|\| eZJSCore (Ajax): http://projects.ez.no/ezjscore \|\| eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription @: http://twitter.com/andrerom
Piotrek Karaś	Sunday 17 August 2008 8:11:36 am Oh, yeah, but then it wouldn't be the best practice in any case, I suppose. I'm thinking of users' mutual contact book architecture, and wondering of using user IDs directly (rather than providing some id obfuscation) would be acceptable. If not, the only thing comes to my mind capable of handling this level of ID uniqueness would be some hash function on user ID. Thanks, Piotrek -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu