Unless you change the encryption key every time, the encrypted id would still always be the same, so could still be stolen and used. Instead, you might simply want to confirm that the id in request.vars matches the id of the current logged in user.
Anthony On Sunday, December 11, 2011 2:57:01 AM UTC-5, Constantine Vasil wrote: > > I am getting user_id = str(auth.user.id), form a link to be clicked > later. > > When clicked on to the browser bar looks like like /user?user_id=9 > > That is insecure. How to encrypt it to look like /user?user_id=10iksmwu0 > (something like that) > and decrypt later when extracting from the request_vars? > > >
