|Does it matter if you show the unique id of a record in the URL?|
In lot's of instances I see urls such as www.test.com/user.php?id=10 etc.
Is there any "danger" associated with showing these ID's assuming you have already verified that user has the right to view them i.e. so if they try to view www.test.com/user.php?id=11 but are not allowed to then it stops them from doing so?
I have saw some apps which use things such as www.example.com/09a30000000D9x or some other random, unique string which makes it much harder for someone to try and find the next record or to try and view a specific record which they are not meant to but is this actually necessary?
Hi there dowzer,
Only thing I will offer as an answer is this: if you have this sort of URL, it isn't very SEO friendly, but if you have that particular example re written through your .htaccess file and using the mod_rewrite module, you can make that URL more 'acceptable' - though you must understand that mod_rewrite doesn't rewrite the URL for you, you have to have the URL done like:-
www.test.com/user/10/index.html (you can omit the .html part too if you like :))
so your URL is done in the actual anchor tag, then the rule in the .htaccess file interprets this and asks the server to display the data accordingly.
So, a more concise answer is: Having the friendly URLs makes for better search engine results. At least this is how I understand it to be...
See several of my posts in this thread from earlier today, on why URLs like
www.example.com/34437732/acme-rotating-widget are a Good Thing: [webmasterworld.com...]
Thank you both.
In my case these pages will never be seen by a search engine - they are part of a secure application so my main concern is security rather than how it looks or how SEO friendly it may be, if that makes sense?
OK so let's say you log in and your user's URL looks like this.
What happens if you do this?
Does it reveal info about another user that it shouldn't? Is the field name of your table 'id'? This reveals info about your table structure. I can guess you have a table named something like 'users', and if error reporting is on someone can munge the URL to kick errors, and from those errors glean a little more info and do all sorts of nasty stuff.
In itself, no, it's not a big deal, it's just a little piece, but someone can go over your site, look at the form field names, and take a stab at the likelihood that the form fields are the same as the table field names . . . which is sickeningly common . . . all these little things add up to a way to abuse your site.
It's pretty easy to change. I can guess at the numbers, but if the user names are not publicly displayed,
will add a small layer. I can't guess at other user names (I can, but would it be worth it . . . ) what you do is look up the user by username instead, never revealing the record ID anywhere.
If you do www.test.com/user.php?id=12 and you are not allowed to view id 12 it redirects you to the user index page so that one is covered (I think!).
Your second points are really where I am coming from really around the level of information given away. Needs some more thought really, do I need to go back and start from scratch to make it more secure?