How do I prevent other users from high jacking the HTTP request payload as other users?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have
a laravel app with the route
Route::put('/api/{deviceMac}/access/update','DeviceController@update');
rule
If user A have deviceMac 000000000000, should only be making a PUT to
http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}
If user B have deviceMac 111111111111, should only be making a PUT to
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}
User A should not be able hijacking the route update of other users
hijacking
User A should have access to 000000000000 only,
Right now, User A can tweak the HTTP request and make a PUT as User B
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}
Questions
How do I prevent other users from high jacking the request payload as other users ?
Should I adjust my middleware to take care of this issue ?
I'm open to any suggestions at this moment.
Any hints/suggestions / helps on this be will be much appreciated!
php laravel laravel-5 laravel-5.1 laravel-middleware
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
add a comment |
I have
a laravel app with the route
Route::put('/api/{deviceMac}/access/update','DeviceController@update');
rule
If user A have deviceMac 000000000000, should only be making a PUT to
http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}
If user B have deviceMac 111111111111, should only be making a PUT to
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}
User A should not be able hijacking the route update of other users
hijacking
User A should have access to 000000000000 only,
Right now, User A can tweak the HTTP request and make a PUT as User B
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}
Questions
How do I prevent other users from high jacking the request payload as other users ?
Should I adjust my middleware to take care of this issue ?
I'm open to any suggestions at this moment.
Any hints/suggestions / helps on this be will be much appreciated!
php laravel laravel-5 laravel-5.1 laravel-middleware
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
add a comment |
I have
a laravel app with the route
Route::put('/api/{deviceMac}/access/update','DeviceController@update');
rule
If user A have deviceMac 000000000000, should only be making a PUT to
http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}
If user B have deviceMac 111111111111, should only be making a PUT to
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}
User A should not be able hijacking the route update of other users
hijacking
User A should have access to 000000000000 only,
Right now, User A can tweak the HTTP request and make a PUT as User B
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}
Questions
How do I prevent other users from high jacking the request payload as other users ?
Should I adjust my middleware to take care of this issue ?
I'm open to any suggestions at this moment.
Any hints/suggestions / helps on this be will be much appreciated!
php laravel laravel-5 laravel-5.1 laravel-middleware
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
I have
a laravel app with the route
Route::put('/api/{deviceMac}/access/update','DeviceController@update');
rule
If user A have deviceMac 000000000000, should only be making a PUT to
http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}
If user B have deviceMac 111111111111, should only be making a PUT to
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}
User A should not be able hijacking the route update of other users
hijacking
User A should have access to 000000000000 only,
Right now, User A can tweak the HTTP request and make a PUT as User B
http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}
Questions
How do I prevent other users from high jacking the request payload as other users ?
Should I adjust my middleware to take care of this issue ?
I'm open to any suggestions at this moment.
Any hints/suggestions / helps on this be will be much appreciated!
php laravel laravel-5 laravel-5.1 laravel-middleware
php laravel laravel-5 laravel-5.1 laravel-middleware
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
asked Nov 26 '18 at 16:40
kyokyo
19.7k46144251
19.7k46144251
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Have a token based system.
Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.
Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.
On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).
Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53485499%2fhow-do-i-prevent-other-users-from-high-jacking-the-http-request-payload-as-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Have a token based system.
Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.
Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.
On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).
Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
add a comment |
Have a token based system.
Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.
Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.
On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).
Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
add a comment |
Have a token based system.
Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.
Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.
On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).
Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
Have a token based system.
Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.
Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.
On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).
Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
edited Nov 26 '18 at 17:32
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
answered Nov 26 '18 at 16:45
Script47Script47
10k42248
10k42248
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53485499%2fhow-do-i-prevent-other-users-from-high-jacking-the-http-request-payload-as-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
