Topic: Securing database identifiers in the URL

[hans]

The project I'm working on is a SaaS (multi-tenant) sort of thing where multiple customers can share a common database. For more secure customers, they get their own database.

Anyways, I'm thinking about how to hide the typical id=n in the URL when customers edit their records. I don't want them trying to just add one and see what happens (although I code for that, so they don't get to see those and they get tracked).

I was thinking about doing some sort of hashing id but I'm wondering in the case of Google or other large companies. Do they hash the id or are they just using a GUID or something as the surrogate key?

[Perspective]

I'm pretty sure google just uses a 64-bit encoding (i.e. not encrypted, and reversible). I wrote a little gmail notifier a while back that uses https to retrieve the RSS feed and that's what I had to do.

[Steve]

u do know gmail has a notifier right? It would be nice if it had a "Mark as read" option in the right click menu though. I also wish it did two mailbox's but it really needs that mark as read option.

[hans]

I use the firefox extension for my Gmail checking, it handles multiple accounts (even apps ones). Works pretty well.


So if Google just uses a 64 bit encoding, how would that be much different than just using the id? It's not hard to reverse the encoding and figure out what the id is.

I think I'm going to be starting a blog about building a multi-tenant app. As we're doing this I'm discovering more and more gotcha about different ways to do it. There doesn't seem to be a good way to do it that doesn't have serious downfalls in certain respects. It's sort of like the adage 'speed, quality, cost; pick two', although there are more choices than 3.

[Mike]

I use the firefox extension for my Gmail checking, it handles multiple accounts (even apps ones). Works pretty well.


So if Google just uses a 64 bit encoding, how would that be much different than just using the id? It's not hard to reverse the encoding and figure out what the id is.

I think I'm going to be starting a blog about building a multi-tenant app. As we're doing this I'm discovering more and more gotcha about different ways to do it. There doesn't seem to be a good way to do it that doesn't have serious downfalls in certain respects. It's sort of like the adage 'speed, quality, cost; pick two', although there are more choices than 3.

Well the 64 bit encoding is going to be URL safe while the unencoded string may not be.  That is one reason.

I would probably use a combination of sessions and cookies.  You can then store the database specific stuff in the session information (which is kept server side) and then do some basic user authentication using the cookie to keep them logged in.

[Perspective]

u do know gmail has a notifier right?

not for linux.

[Steve]

Ahh