URL Thought

[gmoore]

Here is a forum url example:

index.php?p=forums&s=2&token=4ff90d9e4f301efc72b598f46b6f9bf6

Have you considered changing to something not so easy to mess with? And I mean, when you use numbers in a URL, like 1, 2 or 3 ... sometimes people can determine some information about your system. Like if you are player 43, they could assume there is a 1 to 42 and try to access them.

index.php?p=forums&s=2&token=4ff90d9e4f301efc72b598f46b6f9bf6

could be

index.php?p=98h12u12eig1p9d1yg&s=oinobu91d91i2h21ie&token=4ff90d9e4f301efc72b598f46b6f9bf6

And this is just a thought. Would like peoples opinion.

Thanx,

Greg

[Uridium]

people cant mess with the Tokens as it will either log them outn or send them back to index page try to manipulate the token and you will see what i mean

[gmoore]

Oooo it logs me off when I change:

index.php?p=view_player&id=2&token=53ac814a1ea4fe585ec61c69ac0a4b84

to:

index.php?p=view_player&id=1&token=53ac814a1ea4fe585ec61c69ac0a4b84

Didn't know it did that, awesome ;)

Greg

[a_bertrand]

That's the whole goal of the token part and it's done by the security_token module.

And as illusions said, you can guess the IDs, or whatever from the URL but:

1) You can't mess with them (the token is URL dependent and session dependent, so even if you login a second time, the token will be different for the same exact operation). Messing with the URL kick you out.

2) Most modules do check if you have actually the right to do this operation or not (or at least I hope they do it). For example the forums check if you have the right to view this thread or not.

So overall, even if you guess how things works and you understand those numbers links to id inside the DB (which honestly is not hard to guess), you would not go very far.