1

Let's say I want to pass information to the user that includes the user's unique id. Then, I want to use that id for CRUD operations. Is it a viable, or even recommended, option to store a cryptographic hash of that data, which would remain static using something like SHA-2 and then verify that what the user passed to me was what I sent them? Or, should I never send them the information in the first place and just look up the information from a table?

My issue now is that I am using AWS Cognito and using the sub as the unique identifier. So, I do not want to 'trust' the end user with sending me that sub after cognito provides them with it.

sss
  • 59
  • 1
  • 7
  • What do you mean "pass ... to the user"? They're going to write it down on a piece of paper then later re-enter it, and possibly corrupt it? Why is the user's id any different to any other persistent identifier? Just display it read-only on the screen. – AntC May 03 '19 at 23:46
  • I mean suppose I am sending the user their own user_id when they are properly authenticated. Then, suppose they want to insert a value into a db. They would send that value along with their request and I insert based off of that. A malicious authenticated user, if they retrieved someone elses user_id, would then be able to submit for someone else. Obviously this needs to be prevented. I am making the following assumption that there are more 'good' users than 'bad.' With that I think just verifying a hash could be a faster solution than re-retrieving all of the users data each time. – sss May 04 '19 at 00:15
  • Doesn't the DBMS/operating system apply security, including user identification? I don't see why you would want to send the `user_id` in a user-corruptible/spoofable format. Take user authentication from the OS's metadata for any update request you receive. Presumably some users (administrators) are allowed to make updates for other users -- for example to create their `user_id` in the first place. – AntC May 04 '19 at 04:05
  • It seems more appropriate to couple a session to a user after authentication. A hash is nothing more than a checksum that anybody can calculate if you use it like this. My complete and utter lack of AWS knowledge however makes it impossible for me to answer. – Maarten Bodewes May 04 '19 at 11:24

0 Answers0