Currenty I’m implementing an authorization system in my website.
Because this is the first time I’m doing something like this I’m a bit
unsure how to handle hacking attempts - what should I display if someone
tries to open an URL he is not allowed to open?
Scenario 1 - user is not logged in yet:
a) When the user tries to open an unknown route, in production a 404
website is shown.
b) When the user tries to open an existing route, which needs a logged
in user he is redirected to the login screen
Scenario 2 - user is logged in:
a) When the user tries to open an unknown route, still a 404 website is
shown
b) (Now the interesting part) When the user tries to open an existing
route but he is not allowed to (which could be a hacking attempt) -
should there be an error message like “You are not allowed…” or should
also be shown a 404 (but with a notification to the webmaster)? And in
the second case - how can I show this 404 manually so it does not differ
in any way to the point a) ?
A search engine finds a post it cares about at http://example.com/forum/5/51.
That post is deleted.
A user searches, and is sent there.
Would you rather have them see “you idiot! do you think you can haxor
me!” or your opening page?
If you want to make the distinction between “possible hacking
attempts” and “pages that don’t exist” you can probably render :file
in your controller, and directly render the 404 file. If you do this,
be certain to set the 404 response code. However… would this break
some web caches, since the 404 response might be cashed? I don’t
know.
I’m comfortable in displaying a message like “You cannot edit this
item” and redirecting them to the item’s display page (if it’s public)
or to the list of items they can see, or to the home page, as
appropriate. I do the same thing for “record not found” as “you
cannot edit this item” in the redirect part. I just flash[:notice]
them about their lack of permission too.
On Wed, 24 Oct 2007 23:34:05 +0200, Joshua M. wrote:
b) (Now the interesting part) When the user tries to open an existing
route but he is not allowed to (which could be a hacking attempt) -
should there be an error message like “You are not allowed…” or should
also be shown a 404 (but with a notification to the webmaster)? And in
the second case - how can I show this 404 manually so it does not differ
in any way to the point a) ?
I generally prefer an error that doesn’t indicate that there’s something
there worth digging into, so that’d probably be a 404. You don’t want
to give a “You do not have permission to access this URL”. That just
screams “Find a hole and hack me!!”
On the other hand, you should think about whether you really want a
webmaster notification or not. If you get the notification, what are
you
actually going to do about it?
I’ve worked on large systems that start out being incredibly paranoid
about
all their input, and any time they get an invalid message, they log it
and
possibly even page the NOC. (Error! Emergency! Attempted to fetch
article 523 but it doesn’t exist! It’s missing! Go page the person who
might be able to restore article 523 from backups!)
That’s useful to work out the bugs. And, eventually, you realize that
there’s a pattern to the few errors that remain; they always come from
screen names like “133tHotGeek4u”. And you deduce that hackers have
found
a way to send requests for arbitrary article numbers to your server.
And
that’s when you turn it from a log message into a report statistic so
you
can see what percentage of your bandwidth budget is going toward hacker
activity. And then you ignore it.
–
Jay L. |
Boston, MA | My character doesn’t like it when they
Faster: jay at jay dot fm | cry or shout or hit. http://www.jay.fm | - Kristoffer
