Geek Answers Handbook

Is there a danger of creating a UUID on the client side of Javascript?

I need to generate a UUID for storage in a database. Can I generate UUID abstracts from Javascript in the client browser ( Here are some examples )?

Is there a security risk to do it this way? I understand that anyone can change the UUID before it is transferred to the server for storage. So I will need to check if they are unique completely unique before storing them in the database, but other than that, are there any other things to check?

(Sorry for my English, feel free to fix any grammar errors)

edit: To answer questions about why I would like to do this, this is because I can create a new object and its identifier in Javascript and add it to my view, and then make an AJAX server call to add it to the database . Thus, I do not need to download it from the database to find out what this primary identifier is.

+7
security uuid
source share
4 answers

Not really. As long as it’s a simple identifier and nothing more, and you really check it for authenticity and uniqueness, it does not differ from user accounts that have an identifier in the URL, for example.

Look at your URL string. I bet 1296234 is the main key to this question, but I can not do anything with this information. The same goes for your script.

+9
source share

What advantage do you see when creating this client side? In truth, the best option is to create it on the server side, from among users. This may prevent you from getting rid of any serious security issues, but it will reduce redundant checking.

+3
source share

Is there a reason why you cannot generate a database (increment) an identifier?

If, as you say, you will need to check the uniqueness of the value before sending it, why not just use any backend language you use. That would make it much more opaque.

+3
source share

Yes. The risk is not specific to the UUID, any generated identifier on the client side has certain risks, depending on what you do with the identifier. The problem is that it is very difficult to authenticate Javascript. If you accept the ID generated by the client, you accept any identifiers from hackers.

Risks may include

  • Theft of the session. If you use an identifier to identify a session, someone can use the existing identifier as the generated identifier, and the server can consider it as an existing session if proper care is not performed.

  • Duplicate keys. True UUID is random, but someone can generate duplicate keys that will ruin your database.

You may find ways to defend against each of these attacks, but this is passive defense. This may lead to the original goal of generating identifiers on the client, which is simple.

+2
source share

More articles:


All Articles