Remove From My Forums

Is it bad to expose userid to the client? - Identity 2 EF

Question
0

Sign in to vote

User471559320 posted

Hi.
I am building a user driven site in Mvc with asp.net identity 2.

All entities that a user can edit on the website is checked up on, by getting the current userid serverside.
Userid is not exposed in queries when editing userrelated content.

Its mainly used for showing profile, and used in folderstructure for uploaded content.

I was wondering if it is considered bad practice to expose userid's in urls and paths to user uploaded content?
The userid in Identity consists of a Guid.

Thank you! :)

Wednesday, July 13, 2016 2:36 PM

Answers

0

Sign in to vote
User753101303 posted

Hi,

I'm not sure why you need to show them as part of the url but at least it should be used to tell what the user wants to see, not who is the logged in user and even less as a "proof" he have access to that. So :
- if a user will only edit its own stuff the url could be just myfiles/ThisFile.txt. Showing the actual path is not needed and you'll deal with that server side
- if a user could access data from another user it could be <guid>/ThisFile.txt for example BUT :
- it tells which other user data is accessed
- it doesn't tell who his the current user or if the user has access just because he can use the link i.e. you still have to check that this guid is either the one for the current user (ie the user can get its own stuff) or that the current user has been granted access to this content

Not directly related but it is quite frequent to see someone encrypting an id so for thisrow.aspx?id=4, a user couldn't change 4 to 5. IMO this is a bad way or at least not the first action that should be done. The point is not to make the value hard to change or guess (and if the encyption is not done properly it could be less hard than thought), the point is that EVEN if you can change 4 to 5, then the page should check that the current user is allowed to access to row 5 before showing the data.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, July 13, 2016 3:57 PM
0

Sign in to vote
User1724605321 posted

Hi velict,

Whether the login user could only see the profile picture of another user's ? If yes , by server side , you should confirm the role of the user has the permission to access other users' resource . If the user has permission , you could access the profile picture on the server side (use user id as identifier) ,then show the image on client side .

Best Regards,

Nan Yu
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, July 15, 2016 5:22 AM

All replies

0

Sign in to vote
User753101303 posted

Hi,

I'm not sure why you need to show them as part of the url but at least it should be used to tell what the user wants to see, not who is the logged in user and even less as a "proof" he have access to that. So :
- if a user will only edit its own stuff the url could be just myfiles/ThisFile.txt. Showing the actual path is not needed and you'll deal with that server side
- if a user could access data from another user it could be <guid>/ThisFile.txt for example BUT :
- it tells which other user data is accessed
- it doesn't tell who his the current user or if the user has access just because he can use the link i.e. you still have to check that this guid is either the one for the current user (ie the user can get its own stuff) or that the current user has been granted access to this content

Not directly related but it is quite frequent to see someone encrypting an id so for thisrow.aspx?id=4, a user couldn't change 4 to 5. IMO this is a bad way or at least not the first action that should be done. The point is not to make the value hard to change or guess (and if the encyption is not done properly it could be less hard than thought), the point is that EVEN if you can change 4 to 5, then the page should check that the current user is allowed to access to row 5 before showing the data.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, July 13, 2016 3:57 PM
0

Sign in to vote

User471559320 posted

Im not sure i understand you :) - The idea behind all this was to make a folderstucture on the server to store public content of a user.

As an example when a user visits a profile. The profilepicture is stored in following folder /uploads/useridofvisiteduser/profilepictures/guid.ext.

My question is if its okay to store content in that way. Because the link to in this case, the profile picture, would contain the userid of the visited user.

Wednesday, July 13, 2016 5:04 PM
0

Sign in to vote

User471559320 posted

Another example could be sending a message to a user and having the userId to the specefied user in the form post

Wednesday, July 13, 2016 7:38 PM
0

Sign in to vote
User1724605321 posted

Hi velict,

Whether the login user could only see the profile picture of another user's ? If yes , by server side , you should confirm the role of the user has the permission to access other users' resource . If the user has permission , you could access the profile picture on the server side (use user id as identifier) ,then show the image on client side .

Best Regards,

Nan Yu
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, July 15, 2016 5:22 AM

Answered by:

Is it bad to expose userid to the client? - Identity 2 EF

Question

Answers

All replies