0

I have a form for editing users. The user ID is passed to the client (in a hidden field) so that I know which user to update when the form is posted back to the server. My question is, how can I guard against users changing the ID in the DOM, thereby updating a record to which they should not have access?

The only ways I can think of are:

  1. Save the user ID in the session. (Painful).
  2. Run a salted hash on the user ID (and perhaps other form elements) and include it also as a hidden form element. (Not particularly secure?)

Are there other approaches?

Thanks!

EDIT: Hey, some great responses coming in. Note that the logged in user and the user being edited may be two different users, e.g. a Manager is editing a Staff record.

Improve this question
2
  • 8
    Saving the user ID in the session is absolutely the only sane choice. Why would it be painful? Is this not information you are already saving in the session anyway? Commented Mar 4, 2011 at 13:41
  • Salted hash in your case is quite secure as well. Commented Mar 4, 2011 at 13:47

4 Answers 4

Reset to default
3

The best way to do this is to just check after submission if the user has the right to edit that user.

Don't pollute the session with this data, because it can get messy, for example when a user opens the same page multiple times.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It depends somewhat on the conditions under which the user is allowed to edit it.

At the heart of it, it comes down to:

  1. Authenticate the user
  2. Check if the user is authorized to make that change

Authenticating the user is usually a case of "Do the username and password match?" or "Is there an active session with a logged in user associated with it?"

Authorization depends on your business logic. It might be "Is the logged in user the same as the user being edited?" or "Does the user being edited have a manger field containing the id of the logged in user?" and so on.

In the first case, storing the user id in the session shouldn't be painful. In the second case, you just do a database lookup as one of the first things you do in the script.

Improve this answer

Comments

0

Why are you relying on a hidden field for knowing which record to update? If the user is logged in you should already have the user_id of him with you on the session. So you can just find which record to update by finding which user is logged in.

Improve this answer

2 Comments

The implication in the question is that one user is allowed to edit users other then themselves (but not all users)
If that is the case its fine to have user_id in the hidden field, but do another security check on the server to verify that the logged in user has the permission to edit the user_id submitted by the form
-1

As mentioned, the fastest and painless way to sort this would be to stick the USER_ID in the session, period.

Comments saying that you "pollute" session with that information are plainly uneducated, ignore them.

The other thing I noticed in comments is the "check if the user has the rights to edit the entry" which implies there's some sort of hierarchical system in place, which seems not to be true.

Alternative to session storage would be, as you assumed already, obfuscating the USER_ID value in the hidden field somehow. You could either encrypt it, or instead of integer ID - you could use GUIDs but that has implications of its own, tho it makes it incredibly hard for someone to "guess" the correct GUID to mess around with the records.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.