1

I'm building a note-taking app, when a user writes a note an id is generated and I redirect them to a page where they can see its content with a URL like /note/DXSt832pS5iLuos6uxBn. What are the security risks of not double-checking that the user has access to this page, and simply trusting that if they know the id they're authorized?

The id is an autogenerated id from firestore. I found this answer speaking about how it should be as unique as a guid and crypo quality random.

Hugo
  • 123
  • 5
  • Does this answer your question? [Is including a secret GUID in an URL Security Through Obscurity?](https://security.stackexchange.com/questions/36870/is-including-a-secret-guid-in-an-url-security-through-obscurity) – mentallurg Sep 23 '22 at 20:24

1 Answers1

1

Properly done the risk of using such a unique link without additional authentication is low. Properly done means that

  • Only authenticated users are redirected using such a link and only to resources they should be able to access
  • Since the link is intended for the redirect only it should be very short lived. This means it should be invalidated after visit (i.e. redirect was successful) and/or after a short time. Thus even if the users shares the link voluntarily or involuntarily (attack) with somebody else, the other person should not be able to access the content
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks! If the link isn't short live, in my case the guid is the resource id, I assume the risks increase a lot? I assume an attacker or the network admins could see the links? – Hugo Sep 21 '22 at 12:53
  • 1
    @Hugo: if the link is long-lived it could be exposed in log files, browser history, explicitly shared with others ... . This is then basically not about a short redirect but having the unique URL as the only protection for a resource. There are question here about this case - like [this](https://security.stackexchange.com/questions/112021/is-random-url-token-secure-enough-for-file-attachments-and-other-user-content). – Steffen Ullrich Sep 21 '22 at 13:19
  • ah thanks! that was my question I'll mark it as duplicate – Hugo Sep 21 '22 at 18:49