views:

41

answers:

3

I have a main controller to handle the very front-end of my authentication system, it handles login, logout, update user info, etc. functions that I anticipate calling by POST'ing from views/forms. What about something like a "delete_user" function though? My thoughts are a button in someones admin panel would say "Delete Account" and it would post to "/auth/delete", and the function would delete the user based on their session username or id. This seems a bit open ended, you could send out a link to someone and when they opened it while in that application it would delete their account.. Whats the best way to handle this?

A: 

The way i handle this is as follows. On your account page you have a link to delete the account. They click that page and are greeted with another page asking if they are really sure and if so please enter their password to confirm they are sure.

After they do that i deactivate their account (not delete) and send an email saying that their account was deactivated and if this was intended no other action is needed on their part. If it was not intended they can login to their account and it will reactivate it. (within 48 hours) after 48 hours i delete their account and information.

Tom Schlick
+1  A: 

What you are concerned about is actually called Cross Site Request Forgery, or XSRF. You can read more about it on the OWASP Website.

A few things that you should do overcome this problem -

  1. Use POST for the delete operation. This doesn't protect you from XSRF, but protects you from link followers/page accelerators. Its also a http best practice.
  2. Post your session identifier in the body of the request. On the server side, compare the session identifier from cookie and from the request - if they are different, reject the request. This is the "double submit cookie" method to prevent XSRF.
  3. Alternatively, you can ask the user to solve a captcha.

Additionally, a "soft-delete" on the lines of what Tom mentions is also a good idea.

sri
+1  A: 

It sounds like adding some other piece of information to the function is the answer. Here is the function in question:

function delete()   {
        $id = $this->session->userdata('user_id');
        $this->auth->delete_user($id);
        redirect('home');   
    }

In code igniter this can be accessed by just visiting site.com/class/delete which is my problem. I think a good plan will be to post an authentication token (saved in cookie) with the delete button, so it can't take action via the URL:

function delete()   {
        if($this->input->post("token") == $this->session->userdata('token'))    {
            $id = $this->session->userdata('user_id');
            $this->auth->delete_user($id);
        }
        redirect('home');   
    }

I don't think i need a soft-delete right now, but thank you for that good tip! If you see any other issues please explain, thank you.

Prime Studios