I'm forwarding my visitors from a checkout page to /store/order/view/?id=735, but I don't want them to be able to view just anyone's order, so I need to encrypt the 735. What's the best way to do this so Javascript can encrypt it and PHP/MySQL can decrypt it?
What about instead of ?id=735 I do ?key=735-[TIMESTAMP_ORDER_WAS_PLACED], do you think that's secure enough?
分享 This is the wrong approach. You should be making sure that no user can access pages/records that do not belong to him (server-side). Doing this client-side does not provide any security. Keep in mind that anybody can read your JavaScript and thus will be able to do whatever he wants (breaking an encryption system is really easy when you know how something is encoded, exactly). Do not do this and use a server-side session-based payload-secured system. That will be much safer.
分享
