Restful web application security

Tag: security , rest , web-applications , playframework-1.x Author: jackdada Date: 2013-04-20

I was wondering a bit about security of my web application. I have two questions and I hope you can help me with them

I am using a play framework (which supports rest); some of my REST routes look like this:

GET  /mailbox/user/{userId} Application.getMailboxMessages

I have two questions regarding to that case

1 . does placing the userId in my route make it a security risk? (does getting the userId from the session in the server and not passing the userId at all is what I should do?)

The first url leads me to place the userId in my javascript file.

$.ajax({
    type:"GET",
    url:"/mailbox/user/"+window.userId, 
    success : function() {....}
})

2 . does placing userId in the javascript is a security risk?

3 . also what happens with other user ids I interact with using ajax, should I do something about them also? for example:

$.ajax({
   type: "POST", 
   url : "/sendMessage/userFrom/"window.userId+"/userTo/"+ someTargetUserVar ,
   success: function() {//update some gui here}
})

thank you

Best Answer

Ad. 1. placing userId is basically ok, it is not security risk (but you can obviously get it from session in the backend, sometimes URL convension is to use link like /mailbox/user/self

Ad. 2. As above, it is ok.

Ad. 3. If a given request is valid only for logged users then either validate that and return error code for id of a non-current user or don't pass id in the url, just get it from session and then use /mailbox/user/self to make clear your intension for API user.

comments:

ok , so i can pass the userId to the server, but need to validate it with the server session for the current connected user ?
Yep, that's the way to go. Or just get id from session.