Project type: Asp MVC 2/NHibernate/C#
Problem
If you have an edit page in an web application you will come to the problem that you have to send and then receive the id of the entity you’re editing, the IDs of sub-entities, entities that can be selected by dropdownmenus,…
As it is possible to modify a form-post, an evil user could try to send back another ID which maybe would grant him more rights (if i.e. that ID was related to a security entity).
My approach
- Create a GUID and associate it with the ID
- Save the association in the http session
- Wait for the response and extract the real ID out of the received GUID.
Question:
What techniques do you use to obfusicate an entity-ID?
If you’re doing that much for GUIDs, why not just use GUIDs for the identity of the entity itself that’s actually stored in the database (though I’d advise against it)?
Or you could have a server side encryption scheme that encrypts and then subsequently decrypts the id (this is a long the same lines as what you’re doing except you’re not storing anything random like this in the session (yuck 🙂 ).
You could even forget trying to do this at all since a lot of sites are “affected” by this issue, and it’s obviously not a problem (StackOverflow for example). The overhead is just too much.
Also, if you’re worried about security, why don’t you have some sort of granular permissions set on the individual action/even entity level. This would solve some problems as well.
EDIT:
Another problem with your solution is inconsistent unique identifiers. If a user says “ID as23423he423fsda has ‘invalid’ data”, how do you know which ID it belongs to if it’s changing on every request (assuming you’re going to change the id in the URL as well)? You’d be much better of with an encryption algorithm that always hashes to the same value therefore, you can easily perform a lookup (if you need it) and also the user has consistent identifiers.