将用户ID用作url参数是否安全? [英] Is it secure to put the user id as a url parameter?
问题描述
我正在开发一个社交网络,我想知道是否可以在用户的个人资料页面中将存储在数据库中的用户ID作为参数放置在url中,或者在安全性方面是个坏主意?
I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?
我希望该网址可添加书签.我应该放置其他东西而不是用户ID吗?
I want the url to be bookmarkable. Should I put another thing instead of the user id?
推荐答案
在安全性方面,将用户ID放在url中没有问题.例如,StackOverflow已经做到了: https://stackoverflow.com/users/3477044/aliuk
In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk
重要的是要验证是否允许当前经过身份验证的用户访问该URL并代表该URL执行操作.
What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.
这篇关于将用户ID用作url参数是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!