Is there a security issue when displaying a key value for users in a URL?

I use the Key value for objects in my data store as a unique identifier for the URL to pull up the record:

http://mysite.appspot.com/myaction/1x7s3fgdlbnRlcklkcicLAbcXc2VyQWNjb3VudCIFYW9uZ

This is not a very attractive solution, and it is not optimized for SEO, but it is the easiest way I found to identify an object in App Engine / Java.

My main problem is whether there is any security issue related to displaying a unique Key value for an object?

+3
source share
4 answers

, ( ), . : (, ) , . , , , , , , .

, , , . URL-.

+5

, -, , .

- , .

, , , , , .

+3

, ? ( un-base64'd ).

, :

. . , . URL-, , .

- :

foo = FooModel.get_by_id(int(foo_id))

, , , , "" ( , , base64-protobuf- ).

+1

In my opinion, this is not a security issue. Many sites use the identifier as the identifier on the site. The key is just the key to the row in the database table, you want to refrain from a detailed description of your database in terms of tabular and user accounts, etc.

In this regard, you want to prevent the site from deleting database errors when they occur, catch them and handle them beautifully.

0
source

Source: https://habr.com/ru/post/1763485/


All Articles