On my current project, security is top priority. The application is working with sensitive financial data so I really have to lock things down. Like most of my solutions ideas, this idea spawned while in the shower and thinking of how I was going to secure my URL variables.
To give a bit of background on the problem:
The framework we are using is our in-house application framework powered by ColdFusion which we have improved over the last 5 or 6 years. The security lies in the actual framework but my project uses quite a bit of AJAX so my ajax calls need to be secured in someway. Why not use the existing framework security I hear you cry? Well I do...to a point. But this is more of an extension to it. Typically an ajax call is done via URL GET and normally to a small action file. This call could easily be called and modified by an unscrupulous person as the main framework security is sometimes bypassed.
In my application I have users logged in and I hold their userId in the session variable session.userId
My url would typically look like:
The problem with this is that on the EditTimeSheet page you must in someway check that the user calling the url is valid and that the timeSheetId passed is actually the intended record.
Knowing that I am storing the current users ID in session.userId I reckoned I could use this variable to encode the URL and decode it automatically on the receiving end, again using the users session.userId as the decoding key.
When this link is now click on in the browser, it looks like:
The next thing we have to do is write some code to decrypt this URL on the receiving end. This is the code that does it:
What this code does is check to see if only one URL var is passed. Then it checks to see if has a & or a =. It then attempts to decrypt it using the session.userId and recreates the ColdFusion structure URL
In a simple example of the output, have a look at the screen below:
Now, the above is a simple example of the whole concept and I have hard coded USERID in place of SESSION.USERID.
The overall aim is to build 2 UDFs to do all the work and make it nice and reusable and cut down on duplicate code.
Problems with the solution:
One thing you may have asked yourself is what if someone tacks on another variable name/pair value? Will the whole thing be bypassed? Yes and No.
Not only are you masking the variables, your also masking the way your app is working so on the receiving end you could check to see if the first element of the new URL structs value is blank, then ignore the rest of the vars in the struct. This though assumes that you are always using this encoding method in your URLS and that the first element will always be an encrypted string.
One interesting thing of note:
ColdFusion has 2 inbuilt and not widely documented functions called cfusion_encrypt() and cfusion_decrypt() which are exactly the same as encrypt() and decrypt() except that the encoded string they produce is alphanumeric as opposed to all ASCII chars of the latter functions. This makes them perfect for what I need as we are passing and dealing with URL variables.
I'd love to hear other peoples views and ideas on it, so drop me an email, skype me or simply comment :-)