Heh. It should also be pointed out that security is not obfuscation. If your slug is a social security number, I don't care if you're using a one time pad for authentication, you're still going to have social security numbers in your browser history for the world to see. :) A mix of obfuscation and security is a wise course of action.
Cheers, Cliff On Sat, 2008-04-12 at 11:28 -0700, ydjango wrote: > Agreed, for MLS records, newspaper stories, blogs entries etc. most > likely there is no security issue with incrementing db ids in url, and > might actually be useful in some cases as you pointed out. > But substitute MLS for accounts, health records, employee records with > salary information etc, and potential issue appears for sites not > having strong data/object level authorization. > > I fully agree with other people (Cliff and Ned) on this thread that > obfuscation should not mistaken for real security. and I thank them > for pointing this out as I might have made that mistake. > > But in my case, my decision is to go with both obfuscation of id in > url and security through proper authentication and authorization. > Security - more levels you have , harder and costlier it is to break. > > thank > Ashish > > On Apr 12, 10:03 am, "James Bennett" <[EMAIL PROTECTED]> wrote: > > On Fri, Apr 11, 2008 at 6:28 PM, ydjango <[EMAIL PROTECTED]> wrote: > > > currently I am using constructing url as /house/edit/123/ > > > where 123 is house data base primary key for that house. > > > > > Can exposing the primary key in url be any security issue? > > > > > (r'^house/edit/(\d+)/$',editHouse) > > > > > Is there alternative way without exposing the primary key in url? > > > > There is no security issue unless you care about people knowing how > > many houses are in your system. > > > > However, if you're looking for an alternative, and if you have access > > to an MLS[1] or similar database, the listing number will be unique > > within a given MLS database. This makes for a useful identifier, > > particularly if your users are realtors or work in the real-estate > > industry since they'll already be familiar with the system and telling > > them to just visit "/house/<MLS number>/" is easy ;) > > > > [1]http://en.wikipedia.org/wiki/Multiple_Listing_Service > > > > -- > > "Bureaucrat Conrad, you are technically correct -- the best kind of > > correct." > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
