framework router

[Destramic]

hey guys im after a bit of advise on routing within my framework please.

 

now i've created a route:

 

 

account/verify/email-address/:email_address/activation-key/:activation_key

 

which will be then interpurated into

 

 

account/verify/email-address/destramic-at-hotmail-dot-com/activation-key/12345

 

now my question is having a email address in a url is good idea?

 

if so i can decode the :email_addres parameter in the route like so:

$router->add_route('account/verify/email-address/:email_address/activation-key/:activation_key', 
array('controller' => 'users', 
         'action'     => 'activate_account',
         'decode'   => 'email_addres' => 'string_to_email')
));

would like your thoughts on this please guys (go easy)...if not a user_id would be sufficient i suppose

 

thanks

 

 

[Jacques1]

now my question is having a email address in a url is good idea?

 

No. E-mail addresses are much more complex than you may think. If you just drop them into your URL, the URL may break.

 

Even worse, you seem to use URLs to trigger actions (which is very wrong). Combined with a URL injection through the e-mail address, this might be used for actual attacks.

 

Of course you could percent-encode the e-mail address to make sure it won't alter the URL. But that will of course look incredibly ugly.

[Destramic]

yeah i did read up about how complex email address' are...although there are characters that as url unfriendly, mostly all email accounts only allow you to use a certian few characters which are url friendly. but i think i'll go with a user id instead.

 

by the way i use urls to trigger actions?...well when a certian url is requested it will load the controller and action to it passing parameters which in this case is email address and activation key....what is it im doing wrong please?

 

thank you

[Jacques1]

yeah i did read up about how complex email address' are...although there are characters that as url unfriendly, mostly all email accounts only allow you to use a certian few characters which are url friendly.

 

That may be the case for big e-mail providers, but some people run their own mailserver, so they aren't restricted by any such policies. You want your application to handle all possible input, not just most of it.

 

Actually, why do you even need the e-mail address or user ID? The activation token is supposed to come from a strong random number generator, which means it's automatically unique. So you might as well create a UNIQUE index for the column where you store the token hashes and use that as a lookup key. No need for any additional information. This is a much cleaner solution.

 

 

 

by the way i use urls to trigger actions?...well when a certian url is requested it will load the controller and action to it passing parameters which in this case is email address and activation key....what is it im doing wrong please?

 

Is the actual activation triggered merely by visting a certain URL? If that's the case, then it's a conceptual error.

 

GET requests must not have side effects. Their sole purpose is to get a resource (hence the name). If you abuse the GET method for data changes, this can have serious consequences ranging from accidental requests to actual attacks. For example, any image with the source https://yoursite.com/admin/delete_user/123 will automatically trigger a request to that URL.

 

Of course the account activation is a fairly harmless case, because it doesn't cause any damage and involves a secret (the activation token). But you should design your framework in a way that there's a clear distinction between getting a resource (with GET) and changing a resource (with POST, PUT etc.).

 

Speaking of attacks, do you have anti-CSRF tokens?

[Destramic]

Well the only way I can think of validating account other than link is for them to fill out a form so the user can enter the code.

 

Thank you for the link...had some great information on it...but I got a little confused on how it's best to generate a action request

 

For instance you said using a uri like user/123/delete would be a bad way, which I agree...but what would be the best way to get around this?

 

user/delete would be great but how to reference the id across?

 

Thanks for your help

[Jacques1]

Well the only way I can think of validating account other than link is for them to fill out a form so the user can enter the code.

 

They don't need to fill out anything, a simple submit button is enough. You can leave the activation token in the URL or copy it into a hidden field.

 

A button is also very important for usability, because it allows the client to explicitly decide whether or not they want to activate the account. If you automatically do the activation just because the user has visited a certain page, that's very confusing and potentially against their will. It's simply not how the www works.

 

 

 

For instance you said using a uri like user/123/delete would be a bad way, which I agree...but what would be the best way to get around this?

 

user/delete would be great but how to reference the id across?

 

The user ID can and should stay in the URL. The point is that you use an appropriate request method (not GET) and include an anti-CSRF token.

 

For example, I'd use the following URL to reference a particular user in the admin area:

https://admin.yoursite.com/users/123

To delete a user, you send a POST request with two parameters to this URL: One parameter specifies the action (e. g. action=delete), the other parameter is for the anti-CSRF token.

 

If your application uses Ajax rather than classical form-based interaction, you can use the DELETE method instead of POST and omit the action parameter. That's even more elegant. Unfortunately, HTML forms are currently limited to GET and POST.

Edited December 25, 2014 by Jacques1

[Destramic]

some great advise there Jacques...thank you...i'll be sure to use these methods in my build