/    Sign up×
Community /Pin to ProfileBookmark

Securing a Private Messaging Application

Copy linkTweet thisAlerts:
Oct 14.2009

Hi,

I’m incorporating a simple private messaging system into a site i’m working on and am trying to find a way of ensuring that the person requesting to view any given message (pulled from a db) is actually the recipient of the message.

For instance, if the link to view the message comprised of a url variable equal to the messageID then anyone could use the same url to view any message simply by changing the messageID.

Is there a common solution to this?

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@NogDogOct 14.2009 — I would think you'd need some sort of user login/authorization mechanism, so each user would be identified by a user ID (probably in a PHP session variable) which would be compared to the user IDs for any message they want to read.
Copy linkTweet thisAlerts:
@pavsidauthorOct 15.2009 — I would think you'd need some sort of user login/authorization mechanism, so each user would be identified by a user ID (probably in a PHP session variable) which would be compared to the user IDs for any message they want to read.[/QUOTE]

Hi, i've got a login/authorisation system going so that won't be a problem - i guess just checking their userID against the recipientID of the message will suffice then will it?

I was considering going down the route of passing a symmetrical encrypted string via the url and then decrypting it on the receiving page - ensuring no-one could access messages they weren't meant to - is that severe overkill?!!
Copy linkTweet thisAlerts:
@NogDogOct 15.2009 — I would think that if you have a solid login/authentication mechanism in place, then it might be overkill. You might want to take a look at http://phpsec.org/projects/guide/4.html to see about steps to prevent session fixation/hijacking issues with your login. If you can also use SSL for your connection, that would be a good thing, too.
Copy linkTweet thisAlerts:
@pavsidauthorOct 15.2009 — Thanks for that...an interesting read. It's a big old topic, but arguably the most important!
×

Success!

Help @pavsid spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.15,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...