How to ensure that the user does not modify what he wants by changing the id of the object supposed to be modified via a form?

security web

I have a simple problem and I'm looking for what kind of control I can write on the server side to avoid this case:

Via a form, the user can submit answers to a survey. When sending answers to the server, it therefore transmits the list of answers as well as the id of the survey. But nothing prevents him from modifying the id of the survey to put the answers on another survey... I don't see how to prevent that ?


You can't prevent users from changing the ID. However, there are ways to make sure that they can't do something nefarious by changing the ID:

  • Use long random IDs that are effectively unguessable. Then changing the ID will not submit to a different survey, but show an error.
  • Use login authentication and make sure that users have the correct permissions to answer a survey. That way if they change the ID, they could only answer surveys for which they have permission.
  • Serve a token with each survey. The survey can only be submitted back with a valid token that is tied to the ID (via cryptographic signature or by storing tokens and IDs in a database.)

Related

Angular 9 decorators on abstract base class
Deprecated configuration property 'spring.datasource.initialization-mode'
No option to ignore filemode if diff'ing not in a repository?
ValueError: shapes (3,4) and (5,2) not aligned: 4 (dim 1) != 5 (dim 0)
Netlify breaks after adding netlify.toml file
How to handle different logic in an if block with out duplicating code?
Restructure list of maps to one map in terraform
PHP : How to make my own 404 page not found error [duplicate]
How can I change picture on opening & closing details/summary?
google query, limit, "reference cell"
In react.js, updated state values aren't showing in table list( table list use state value )
Regex look behind until whitespace