Posted by Gordon Burditt on 10/05/63 11:45

>>All of this is a very poor substitute for validating that the user
>>in question has the authority to delete the record *AT THE TIME OF
>>THE FORM SUBMISSION*. If the user with administrator authority
>>always has the authority to delete *any* record, and a user without
>>administrator authority cannot delete any record (even his own),
>>there's nothing wrong with just using trivially-guessable record
>>numbers. But you need to re-check his administrator status at the
>>time of the form submission. He might have been fired between the
>>form being sent (and possibly cached in a browser for a year) and
>>submitting it.
>>
>>If the user can only delete *his own* records, then check, when he
>>submits the form, that he still has the authority to delete it: he
>>still owns it, his membership hasn't expired, he's still logged in
>>as the same user, etc.
>
>Sorry Gordon, I should have made it clear that each page checks the user
>as a matter of course. It didn't occur to me that some people don't do
>this.

If you check the user at a matter of course, then you can LET THE
USER SPOOF ALL HE WANTS. And random numbers are pointless in this
situation. If the user is properly logged in (which you check),
and he spoofs, then either he has the authority to delete the record,
which you should allow, or he doesn't, which you'll reject anyway.
If he's not logged in or doesn't have the authority to delete
records, he can spoof *ALL* of the numbers and still won't do any
deletions.

>By the way : It _is_ a good idea to use big random unguessable numbers
>for IDs because (a) it *obviously* makes the cracking job harder and (b)

If a user can only delete records he has the authority to delete anyway,
cracking attempts are pointless, so why bother preventing it?

>even if you hit a valid number you have no idea whose it would be. Thus

If the idea is to inflict random damage, it doesn't matter.

>it is a deterrent. Also (probably with more bits in the random number)
>it is _essential_ where the user cannot be validated. For example
>"Thank you for your custom...To view the progress of your order go to
>www..../orders.php?OID=123454345434544"

I don't think I'd feel comfortable implementing such a thing (if
it didn't require a login) if real money was involved. I'd worry
about putting any confidential information (e.g. an order) in
such a system also.

Gordon L. Burditt

[Back to original message]