Home/ Questions/Q 8340701
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T05:15:11+00:00

I am working on an existing Web based application. Now, I need to secure

  • 0

I am working on an existing Web based application.

Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1.
I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.

The problem is that, the application is already in production and in good working condition, so the changes should be minimal with respect to this change.

How is this best achieved?

Any sugggestions/comments?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    why do you give the id in the URL when the user should only be allowed to change his profile? I don’t see any need for this. Rather get the current user from SecurityConext and display its profile on an URL without the id.

    with the new information you gave in the comments I suggest sth. like this:

    just check if the given orderid in the URL belongs to the current user.
    You’re saying you use “normal web based Application” so I assume Servlet/jsp based. In your servlet you would do something like this:

    int orderId = Integer.parseInt(request.getParameter("orderId"));
String username = request.getUserPrincipal().getName();
/*now you need to check if username match with the username of the order e.g. by using hibernate to get the order by id and check its user and if not throw PermissionDeniedException or similiar*/
    • 0