1

I have a expresjs application

How can I secure the ID when POSTing a form.

I had a hidden field id in the form:

<input type="text" name="id" id="id" hidden="hidden" value="1">

The id can be easily changed to POST a invalid data to my database.

How can I secure it? should I hash it?

try-catch-finally
7,6606 gold badges50 silver badges71 bronze badges
asked Dec 26, 2014 at 13:55
3
  • My first thought was to hash the "id" in concert with a secret salt. Or "sign" the ID value using a public key of some sort. You'd store the hashed/signed value as another hidden form element. Commented Dec 26, 2014 at 14:01
  • Or just validate the data server side, e.g. some code that ensures the passed ID corresponds to the current user. Commented Dec 26, 2014 at 14:03
  • What are your concerns when you think of securing the ID? From the context you've provided so far, I'd say you should authenticate the request either by padding authentication data or establishing a session which has been authenticated first. Since you'd probably use the ID to update, delete or create data related to that ID, you should check if the ID belogs or is accessible by the requester. Further, you might harden the request against XSRF. Commented Dec 26, 2014 at 14:19

2 Answers 2

2

The only way I can think of is to encrypt the value using a reversible encryption method (hashing won't work since it is irreversible). Then when you receive the encrypted ID back at the server, decrypt it to get the value.

However, I wouldn't suggest doing that, no point for such a hassle just to prevent someone from changing the ID on postback. There may be tens of other fields in your form, how can you possibly secure all of them?

I suggest you do proper validation when you receive the postback data, for example:

If User A is trying to edit his Profile ID 1234, the form will have a hidden field of ID 1234, when the user completes the edit operation and post the data back to the server, validate that User A has the rights to edit the posted Profile ID, if he has the right to do so, it doesn't matter if he change the ID to something else other than the original value.

answered Dec 26, 2014 at 14:09
Sign up to request clarification or add additional context in comments.

Comments

1

You are probably trying to solve a wrong problem. All the POST data should be checked on the server side for consistency.

answered Dec 26, 2014 at 15:27

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.