Best and secure way to send parameters in URL

Question

I am working on a website in which there would be functionalities to update and delete data on the basis of id. Now the thing I am worried about is like my url would be

www.example.com/public/controller/action/1

if the action would be delete, any person can change id from 1 to 2 in url and the data with id 2 would get deleted. What would be the best way to keep the flow secure. I am using Zf2 and Doctrine2... Any suggestions please !!! And moreover I am keeping ids hidden in fields, anybody can use firebug to change the value in fields, is there any way to protect data from that too?

Would any encryption-decryption way would make it secure, like if anybody even edits the encrypted value, after decrypting it would not result in a required id? Which one would be good?

Answer 1

You should worry less about what happens when people change parameters within the URL or try to hack something into your HTML (hidden fields), as much more you should worry about what your users are actually allowed to do.

If an admin is allowed to delete all posts for example, then it doesn't matter if he changes domain.com/post/delete/1 into domain.com/post/delete/42. If admins are supposed to delete everything they can. So let them just change it as much as they want to.

If admins however are only allowed to gain administrative privileges to their own entries, then you need to work this into your Service-Layer. The Service-Layer would check for permissions of the current user against the currently requested object. My personal favorite would be ZfcRbac.

If however you want to make it more difficult for people to actually change IDs, then you should give every entry a unique hash. So for example the url would be domain.com/post/delete/12acd-4a7f7c6-4a7f7c6-12acd-4a7f7c6 or something like that.

TL/DR don't worry what happens when people change stuff within the URL/HTML, simply worry about Authentication and Permissions in general.

Answer 2

You can change id to some_random_string (based on timestamp to make it unique) and search databese for that. There is no chance that user would guess that random string. And second check in controller that logged user have rights to CRUD actions.

You can use https://github.com/ZF-Commons/ZfcUser (with second module for Doctrine) to make auth and in controller you can check if user is logged

if ($this->zfcUserAuthentication()->hasIdentity()) {
    $user = $this->zfcUserAuthentication()->getIdentity();
    if($user->systemRole=='admin')//you can make switch for that
    {
      //can edit/delete/create
    }
}

To make this work you must copy UserEntity from that module and add systemRole. (check documentation for zfc-user for that)

Answer 3

1- try to check authorization in action .
2- In some case you can save some data such as entity id in session on page load and then only call delete.
3- any encryption algorithm has one (or more) key . some important part of security management is key management . if you have implementation of an algorithm in PHP and Javascript then you should have key in both side for decryption (user can find your keys in client side code)
4- hash may help you . hash do,'t need to key and make your data unreadable but hacker can call your url with hash data
http://en.wikipedia.org/wiki/Cryptographic_hash_function

Update 1 :
for encryption you can use accessible data on server and client as key . for example use "url character count" as key
url character count : 10
id (plain data) : 23
id (encrypted and use for send to server ) 33 = 23 + 10
on server you should decrypt id (id = id - url character count)

important point : encryption algorithm should be extremely minified and obfuscate on client .