tags:

views:

145

answers:

2
+1  Q: 

Are visible GUIDs a security risk?

Hi, I'm using ASP.NET and the membership provider for my site. If the user is able to easily see their GUID, would that be considered a security risk? Should I take extra steps to prevent users from easily finding their GUID such as when they confirm their verification process. Although there are ways around this, such as using a seperate GUID for 'front-end' activities, is this an unnecessary increase in overheads and development time?

An example of possible spoofing is when I'm authenticating a user's permission to access a resource. 

Guid cUser = (Guid)Membership.GetUser().ProviderUserKey; //if this is publicly viewed, then  there's no reason to call the DB or store in a session as it can be placed in the QueryString
bool grantAccess = CheckGroupPermission(cUser, groupID);

Thanks

+2  A: 

It is generally not a good idea to expose keys to a database to the outside world, but if you had to choose what kind of field to expose, a GUID is not that bad of a choice. It is much better than exposing a sequence number where it can be guessed (rather easily) what constitute an unknown valid identifier in a DB.

You can, instead of providing the GUID to the outside world, provide the username. It should be unique.

Wayne Hartman  2009-10-17 14:46:36
In my case, the username is the user's email address. I may be wrong, but would displaying a unique username be no different from displaying the GUID since at the backend, they'd be used appropriately? i.e. a user spoofs the username, which is then converted to the GUID at the backend anyway, thus granting the same access as directly inputting the GUID. Thanks.
keyboardP  2009-10-17 15:25:59
True, but by exposing the username, you are not exposing the inner workings of your application the way you would via another identifier.
Wayne Hartman  2009-10-18 00:50:52
Ah, fair enough. Thanks for your help.
keyboardP  2009-10-18 10:34:59
+4  A: 

No, displaying the id of the user record is not a security risk in itself. You should not rely on it being secret anyway, as it would be hard to make yourself totally independent of them.

It is however a security risk if you are using only the id as verification to grant access to resources. You can never rely completely on any information sent from the client, you should always use some information that can't be tampered with so easily, like a value in a session variable that is only placed there after proper user verification.

Guffa  2009-10-17 14:52:52
Would you suggest that I use "Session["userID"] = Membership.GetUser().ProviderUserKey;" (at some event such as page_load), and then use the session for future authentication? Or are there further steps I should be taking? Thanks
keyboardP  2009-10-17 15:23:15
@Tenaciouslmpy: Using a session variable only withing the page is pointless. Set the session variable at the login page where you have the full authentication, then use it throughout the session. If the ProviderUserKey already is based on session data, you can of course use that instead.
Guffa  2009-10-17 20:56:01
The problem with using ProviderUserKey is that it hits the database everytime it's called, so I thought it'd be easier to store in a session. Good call on the login page authentication!Thanks for the help.
keyboardP  2009-10-18 10:37:27

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps