Security question: User's unique ID in URL ... bad idea?

Hi,

I want to pass a “user” to another page. To do so, I’m passing the user’s unique ID as a parameter (in a key/value pair). This puts the unique ID in the URL. I’m trying to figure out if this is a security issue. Any thoughts?

Thanks

Passing the unique ID in the URL is only a security issue insofar as you develop (or under develop) other components.

Some things to consider:

  • At a high level, if the Unique ID that you’re passing / referencing is that of the current user, then that is redundant. (The concept of “current user” carriers throughout your application).
  • If you develop strong privacy roles (ie. differentiate roles between “current user” viewing their own records versus viewing the records of others, that’ll go a long way. (Ex. if you store a “friend list” on the user, and you have “friend’s Unique ID” as a parameter, the end user should only be able to access data if they are in the friend’s list of that user.
  • Make sure that you don’t have workflows that would allow someone to manipulate another person’s data simply by dropping a different value in for the unique ID. (Ex. charge the Stripe account of the user in the Unique ID’s value.
  • If you don’t want to immediately expose the unique ID in the URL (for vanity reasons or making things a bit more obscure), you can create your own workaround unique ID. (I only recommend doing this in limited circumstances - ex. having a profile found by username like twitter).

I’m sure others will have additional thoughts to add. Really good question to ask!


Dan (creator of LearnTo - 15+ hours of Bubble tutorials and live coaching)

2 Likes

Will a record’s unique id ever change? Not sure what table maintenance processes bubble uses behind the scenes but, whatever they do, could it ever effect the unique id.

The unique ID remains the same :slight_smile:

Thank you