I have been working on a Consumer facing Social Web application development since past few weeks. In our attempt to get MVP (Minimum Viable Product) out at the earliest, we concentrated on building features first. As the first launch is done, we started looking at some of the Infrastructure related work. One of the most important items in our list is Security improvement. Being a social web-site, we expect a lot of visitors. We should have good safeguards against malicious use and for the safety of our data.
Problem Context We have REST APIs for communicating with Back-End. Typical example is:
/api/users/{id}/? Users.update
Signature of Users.update() method are:
public static void update(Long userId, User updatedUser) {
//Find User with userID from DB
//Update it's properties with passed updatedUser
//Return response
}
As we are passing user-id in the URL, it’s quite susceptible for wrong usage.
Proposed Behavior We decided to communicate through generated, unique and short-lived SessionID’s instead. The execution steps in the new flow would be something like:
- UI will request a SessionID for every user and on repeated intervals
- Server will generate SessionIDs and keep a track of associated user
- SessionID will be passed with request along with other required parameters
- Server will validate the authenticity of passed SessionID before processing any request
- Back-End calls will get corresponding user information passing through SessionID. Thus UI will never be sending UserIDs as part of request
Our Technology Stack We are using Play 1.2.4 as Web Application framework with Java as programming language for our back-end. For people not aware about Play, it’s based on simple Stateless MVC architecture. For more information, please refer to their web-site
Continue reading
Technology for Business Excellence 