Adrian Burlington wrote:A relatively 'abstract security question' how can I avoid users to manipulate the URL and circumvent a security permission?
Since the user ID is the prime means of identifying a user it should never be visible to anyone or anything outside of the server. An approach to this is to use an encrypted cookie. When a user logs on he is sent an encrypted cookie that contains his user ID, time of generation (according to the server that created it), the login state, a random IV and a checksum/digest. Each subsequent request from the client takes with it the encrypted Cookie which decrypted by the server. The server then does some checks on the content of the Cookie value; as a minimum
1) it checks that the checksum/digest indicates that the Cookie has not been tampered with,
2) it checks that the Cookie was presented within N minutes (say 5) of being created (a window of use). If it has expired then the user is forwarded to the login page to restart the process.
3) The login state.
If it passes all the tests then it is accepted as valid and the request is actioned. When the results are passed back to the client a new values for the Cookie is generated and encrypted.
At no time is the user ID exposed to anyone outside of the server.
The Cookie values has a very limited lifetime before it expires which means the window available for reuse/copy to another computer is very very small.
The Cookie value cannot be forged.
If one desires that Cookies not be enabled then one can instead use a hidden field to contain the encrypted values.