[thelist] Link security and performance

Thu Feb 4 09:17:44 CST 2010

Ready for my pre-coffee ramblings?

I have not had much time (or luck) reverse-engineering Gmail, but I have
often wondered about their links.  Selecting a message and deleting it seems
to send somewhat abstract IDs back in the AJAX post.  So, I was wondering if
those links contain just the message ID or if they also include access and
ownership.  How does Gmail prevent me from modifying that request and
deleting another message I don't own, for example?

I'm not so interested in Gmail details, but of building links with security
built-in.

I often have the situation where I send a list of objects the user owns or
has control over back to the client.  Then in another request the user may
ask to delete one of those things.  In some applications it may be very
expensive (slow) to check all the permissions and ownership on the object
that is requested to be deleted.  Plus, when that object was provided to the
user in the first place all those checks were already done.

I've done something similar in the past.  For example, I have a page that is
very expensive to generate but has lots of links to do small actions.  When
the request come in for those small actions I need to make sure that it's a
valid action for that specific page w/o having to do the expensive part of
basically rebuilding the page to know what links are available.

In that case I built normal links (with query parameters) but also included
a hash of the parameters along with their session ID and a secret.  That way
when I receive the request I can validate that it's not been tampered with
and it is a valid link created for the specific page.

But, back to Gmail, if Gmail is doing something similar it doesn't look like
a hash of the parameters but more like they are using IDs that describe more
than just the ID of the email message.

Do I have a question?  Well, yes.  Kind of.

I'm now building out a much more complex application that's all about
managing "objects" -- where each object has ownership and permissions.  It's
mostly CRUD so what I'm thinking is a system where I don't pass object IDs
between the client and server but a more complex "ID" that when I get a
request to delete the object I know right away that the user can do that
action just by looking at this "ID" in the passed-in request.  The hope is
that I can simplify my model code (specifically the complex database read
and joins) and make the AJAX updates much simpler.

Anyone done something like this?  I guess what it boils down to is a system
to convert my primary keys into a tamper-proof ID that carries permissions
and ownership -- or maybe carries the key, the sesssion, and permissions.

Yes, there's some problems with this -- e.g. if permissions change on an
object and the user tries to use an old link.

-- 
Bill Moseley
moseley at hank.org