Whenever I call Yii::app->createURL(‘message/compose’,array(‘id’=>1,‘vesselid’=>33)
it calls in the URL as localhost/application/message/compose/1/35
Actually I don’t like to show these values in the URL… as anyone can change these values and hack or make some errors. Do you know how can I hide these values?
E.g URL should look something like localhost/application/message/compose/<some hidden or encrpted value>
… so how can I make sure now to NOT display the values?.. any ideas ? I am thinking of using the .htaccess but don’t know if that is the best solution.
It shouldn’t matter that they can change the values because you’ll be using some sort of authorisation to ensure that they can edit whatever they’re trying to edit.
Having said that, in my new site, I decided not to set any cookies on the user’s computer, or to start any sessions. I needed a way to show a confirmation page after the user sent a message through the contact form, so I encrypted the contact message ID with a private key and used it in the URL of the confirmation page. The confirmation page decrypts it to determine the appropriate message. Doing this prevents users from altering the URL to see other people’s sent messages.
There’s additional protection as the confirmation page is only available for 5 minutes after the form is submitted. Messages older than that can’t be loaded through that page.
Feel free to submit a message through the site contact form if you want to get an idea of how it works.
