current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 1 down vote favorite

I'm currently developing a web application (using laravel) where I have a form that edit a resource. Something like this:

<!-- URL: /editResource/3 -->
<form action="/editResource/3" method="POST">
     <!-- Input fields -->
</form>

When I send the form the web application will update the resource 3.

But how I can prevent something like using developer tools to modify /editResource/3 to /editResource/4 and edit the wrong resource?

I'm not asking how to prevent some user editing other user resources; this can be accomplished by a simple validation, but I'm asking how to prevent user modifying this kind of data, since HTTP is stateless.

Thank you

EDIT: The question was misleading, I want to clarify that what I'm trying to find is a way to keep some information between requests, without user modifying it. I'm sending the information: 3 to the client so in the next request, the server knows that the user is editing the resource 3, but I want to do this without the risk generated by user changing this data.

share|improve this question
1  
Assuming the user is authorized resource 4, you can't. – whatsisname Nov 18 '14 at 2:05
3  
What is the risk? You can validate it server-side, and no user is going to accidentally change the resource – raptortech97 Nov 18 '14 at 2:39
    
You might be able to use a MAC, but that's still potentially vulnerable to replay attacks. – CodesInChaos Nov 18 '14 at 13:54
up vote 1 down vote accepted

I'd store the data server side in a session object or user profile record and then send the unmodified data each time.

share|improve this answer
up vote 6 down vote

You can't. If the data is on the user's end, the user is in control of it, not you. Trying to change this is an arms race you don't want to get into.

Instead, worry about what you have control of: the server. Validate data instead of blindly trusting it. HTTP may be stateless, but your app on the server-side doesn't have to be!

share|improve this answer
    
I edited the question, I'm asking something different, I need to send the data between requests, but without user modifying it. – IAmJulianAcosta Nov 18 '14 at 2:16
3  
@IAmJulianAcosta I would contend that the answer is still the same. You can't. When its on the client end, the client can modify it and trying to prevent that is an arms race. – user40980 Nov 18 '14 at 2:25
    
You can validate that the user hasn't modified the data by sending a cryptograhic hash of the data to the user along with the data. The user then returns the data and the hash. The user cannot modify the data without the server detecting it. – Craig S. Anderson Nov 18 '14 at 4:43
    
@IAmJulianAcosta: The best you can do is to generate non-sequential ID's, so that it becomes that much harder for a user to change it to a different valid one. – Bart van Ingen Schenau Nov 18 '14 at 8:06
    
@CraigAnderson: That makes no sense to do. The server doesn't have to accept data the client sends if it doesn't want to. If you don't want the client to change data, just ignore whatever the client says! – whatsisname Nov 18 '14 at 16:45

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.