Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
general-topic
Search user topics feature question
Avatar
rb22
Member
sp_UserOfflineSmall Offline
Oct 16, 2015 - 11:16 am

On another note, on the sp user profile at the bottom of the screen, I just discovered the view topics by user link, which is very handy, but I am wondering if security would be improved by not exposing the wp user_id. I am thinking about making this more visible to users but before that I thought I would get your take on the security concern.

Might it be better to pass the user_login for the "value" and then have the back end get the user_id?

https://simple-press.com/suppo.....038;type=4

 

 

ust a thought

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Oct 16, 2015 - 11:43 am

On this one then perhaps the question is why would user_login be any more secure than user_id? I don't see it...?

andy-signature.png
YELLOW
SWORDFISH
Avatar
rb22
Member
sp_UserOfflineSmall Offline
Oct 16, 2015 - 12:43 pm

Well generally, I am no expert but I think coders generally try not to expose critical id information ... by knowing the id you could use it for hacking, session hijacking etc.  All the tables are cross referenced by id not user_login ... so it would be easier to get more info about the user if you knew the id. If the hack allows them to get the user id from the user login, I guess the point is moot  but that's a big assumption.

You're right there is less concern about this that I thought but there is a debate. here are some links discussing the issue.

 

http://stackoverflow.com/quest.....urity-risk

http://programmers.stackexchan.....t-practice

 

Thanks

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Oct 16, 2015 - 12:50 pm

Oh yes - there is a permanent debate always has been. And we have had it both ways in the past and always had complaints no matter which way it is. But WordPress is pretty solid in not allowing information like this to leak or be useful.

andy-signature.png
YELLOW
SWORDFISH
Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 650
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 620
Members: 17365
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10128
Posts: 79626