0

I have a question about security. I have a website using an URL like that: 

www.mysite.com/product?id=4

On the server side, I check of course if the product id=4 exists AND if the connected user has the right permission to see this page for this product. If not the user gets the error "not authorized".

My problem is the id=4 is the primary key of my table. And I wonder if it is a good idea that this primary key appears in clear in the url.

Perhaps that 

www.mysite.com/product?id=45t6yHYU431azeFgThu78n

is better? Is it better to transform these parameters in the address bar? Or not necessary if the security is managed correctly on the server side ?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Dom
  • 2,984
  • 3
  • 34
  • 64
  • possible duplicate of [Using Primary Key / ID Field as an identifier in a URL](http://stackoverflow.com/questions/566996/using-primary-key-id-field-as-an-identifier-in-a-url) – Neil McGuigan Jul 05 '15 at 21:33

2 Answers2

0

It depends on what the identifier refers to. You always have to wonder what an attacker can do with this information. Does leaking an opaque identifier in the URL give the attacker any valuable information? Can he/she use this information to retrieve more information in a unsecured way?

If for example this identifier is a medical record number (MRN) which is also used in other systems and on numerous paper forms, it would be a HIPAA violation to use this identifier in a URL.

If on the other hand this identifier points to a product in your inventory table it probably is fine to use it in a URL fragment or query parameter.

MvdD
  • 22,082
  • 8
  • 65
  • 93
0

Rather than using product ID = 4 in URL, use POST method defined in PHP to send product ID to server side without showing it up in adress bar

Rohit Reddy Abbadi
  • 336
  • 3
  • 13