Jump to content

framework router


Destramic

Recommended Posts

hey guys im after a bit of advise on routing within my framework please.

 

now i've created a route:

 

 

account/verify/email-address/:email_address/activation-key/:activation_key

 

which will be then interpurated into

 

 

account/verify/email-address/destramic-at-hotmail-dot-com/activation-key/12345

 

now my question is having a email address in a url is good idea?

 

if so i can decode the :email_addres parameter in the route like so:

$router->add_route('account/verify/email-address/:email_address/activation-key/:activation_key', 
array('controller' => 'users', 
         'action'     => 'activate_account',
         'decode'   => 'email_addres' => 'string_to_email')
));

would like your thoughts on this please guys (go easy)...if not a user_id would be sufficient i suppose

 

thanks

 

 

Link to comment
Share on other sites

now my question is having a email address in a url is good idea?

 

No. E-mail addresses are much more complex than you may think. If you just drop them into your URL, the URL may break.

 

Even worse, you seem to use URLs to trigger actions (which is very wrong). Combined with a URL injection through the e-mail address, this might be used for actual attacks.

 

Of course you could percent-encode the e-mail address to make sure it won't alter the URL. But that will of course look incredibly ugly.

Link to comment
Share on other sites

yeah i did read up about how complex email address' are...although there are characters that as url unfriendly, mostly all email accounts only allow you to use a certian few characters which are url friendly. but i think i'll go with a user id instead.

 

by the way i use urls to trigger actions?...well when a certian url is requested it will load the controller and action to it passing parameters which in this case is email address and activation key....what is it im doing wrong please?

 

thank you

Link to comment
Share on other sites

yeah i did read up about how complex email address' are...although there are characters that as url unfriendly, mostly all email accounts only allow you to use a certian few characters which are url friendly.

 

That may be the case for big e-mail providers, but some people run their own mailserver, so they aren't restricted by any such policies. You want your application to handle all possible input, not just most of it. ;)

 

Actually, why do you even need the e-mail address or user ID? The activation token is supposed to come from a strong random number generator, which means it's automatically unique. So you might as well create a UNIQUE index for the column where you store the token hashes and use that as a lookup key. No need for any additional information. This is a much cleaner solution.

 

 

 

by the way i use urls to trigger actions?...well when a certian url is requested it will load the controller and action to it passing parameters which in this case is email address and activation key....what is it im doing wrong please?

 

Is the actual activation triggered merely by visting a certain URL? If that's the case, then it's a conceptual error.

 

GET requests must not have side effects. Their sole purpose is to get a resource (hence the name). If you abuse the GET method for data changes, this can have serious consequences ranging from accidental requests to actual attacks. For example, any image with the source https://yoursite.com/admin/delete_user/123 will automatically trigger a request to that URL.

 

Of course the account activation is a fairly harmless case, because it doesn't cause any damage and involves a secret (the activation token). But you should design your framework in a way that there's a clear distinction between getting a resource (with GET) and changing a resource (with POST, PUT etc.).

 

Speaking of attacks, do you have anti-CSRF tokens?

Link to comment
Share on other sites

Well the only way I can think of validating account other than link is for them to fill out a form so the user can enter the code.

 

Thank you for the link...had some great information on it...but I got a little confused on how it's best to generate a action request

 

For instance you said using a uri like user/123/delete would be a bad way, which I agree...but what would be the best way to get around this?

 

user/delete would be great but how to reference the id across?

 

Thanks for your help

Link to comment
Share on other sites

Well the only way I can think of validating account other than link is for them to fill out a form so the user can enter the code.

 

They don't need to fill out anything, a simple submit button is enough. You can leave the activation token in the URL or copy it into a hidden field.

 

A button is also very important for usability, because it allows the client to explicitly decide whether or not they want to activate the account. If you automatically do the activation just because the user has visited a certain page, that's very confusing and potentially against their will. It's simply not how the www works.

 

 

 

For instance you said using a uri like user/123/delete would be a bad way, which I agree...but what would be the best way to get around this?

 

user/delete would be great but how to reference the id across?

 

The user ID can and should stay in the URL. The point is that you use an appropriate request method (not GET) and include an anti-CSRF token.

 

For example, I'd use the following URL to reference a particular user in the admin area:

https://admin.yoursite.com/users/123

To delete a user, you send a POST request with two parameters to this URL: One parameter specifies the action (e. g. action=delete), the other parameter is for the anti-CSRF token.

 

If your application uses Ajax rather than classical form-based interaction, you can use the DELETE method instead of POST and omit the action parameter. That's even more elegant. Unfortunately, HTML forms are currently limited to GET and POST.

Edited by Jacques1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.