I’m working on a project that requires threaded conversation: someone posts something new which creates a new thread and all replies are attached to that thread. I have this working great from a technical perspective, but I’m concerned about the security of my solution:
In order to reply to a thread, the thread’s id, which is simply the database id of the thread, is in the html corresponding to the thread. This way, the javascript can get the thread id of the thread that’s being replied to and use this to pass the response text and the thread id to the back end via ajax. It’s also used to find where in the html the reply should be appended.
An example of this html would be:
<div id='thread_1' threadId='1'>Hey, how's it going?
<div id='replies_1' threadId='1'>
</div>
<input id='reply_text_1' type='text' value='Reply...' threadId='1'></input>
<input id='reply_button_1' type='submit' value='Reply' threadId='1'></input>
</div>
<div id='thread_2' threadId='2'>Anyone here?
<div id='replies_2' threadId='2'>
<div id='reply_2_1'>Yes, I'm here</div>
</div>
<input id='reply_text_2' type='text' value='Reply...' threadId='2'></input>
<input id='reply_button_2' type='submit' value='Reply' threadId='2'></input>
</div>
It does not seem like having database id’s in the front end code is a good idea – it seems like a potential security risk. Question is, how can I do this in a safe way? How can I associate the thread response from the front end to the thread in the database on the back end while not exposing my database id’s?
FYI – in case it helps, the back end is Java + Spring + Hibernate.
Any help is greatly appreciated!!
Having database IDs in the html is not a security risk. In any site you’ll often see them in the html and in the URLs. The important thing is that you check in your callbacks that the current user has access to delete/read/reply to the message.