Jump to content

URL Thought


Recommended Posts

Here is a forum url example:


Have you considered changing to something not so easy to mess with? And I mean, when you use numbers in a URL, like 1, 2 or 3 ... sometimes people can determine some information about your system. Like if you are player 43, they could assume there is a 1 to 42 and try to access them.


could be


And this is just a thought. Would like peoples opinion.



Link to comment
Share on other sites

That's the whole goal of the token part and it's done by the security_token module.

And as illusions said, you can guess the IDs, or whatever from the URL but:

1) You can't mess with them (the token is URL dependent and session dependent, so even if you login a second time, the token will be different for the same exact operation). Messing with the URL kick you out.

2) Most modules do check if you have actually the right to do this operation or not (or at least I hope they do it). For example the forums check if you have the right to view this thread or not.

So overall, even if you guess how things works and you understand those numbers links to id inside the DB (which honestly is not hard to guess), you would not go very far.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...