将用户ID用作url参数是否安全? [英] Is it secure to put the user id as a url parameter?

问题描述

我正在开发一个社交网络，我想知道是否可以在用户的​​个人资料页面中将存储在数据库中的用户ID作为参数放置在url中，或者在安全性方面是个坏主意?

I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?

我希望该网址可添加书签.我应该放置其他东西而不是用户ID吗?

I want the url to be bookmarkable. Should I put another thing instead of the user id?

推荐答案

在安全性方面，将用户ID放在url中没有问题.例如，StackOverflow已经做到了: https://stackoverflow.com/users/3477044/aliuk

In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk

重要的是要验证是否允许当前经过身份验证的用户访问该URL并代表该URL执行操作.

What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.

这篇关于将用户ID用作url参数是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！